4 


THE  RESOURCEfOR  SECU 


! 

| 

k  ^ 

t  IWr  A  i.MII  lll~!*|, 

pj* 

£ _ £-  fct] 

P  „ 

ffci  'r 

1  v;  1  c 

rjrr?Sg5 
'  *-* 

Si 

i 

fk  -  fftpl  .1 

s:^ 

■*  - 

#  •!.***  i 

— 


.INFRASTRUCTURE  LOG 

_DAY  82:  There  are  so  many  risks  out  there.  So  many  things 
that  can  happen  to  our  business:  natural  disasters,  spikes 
in  traffic,  mergers.  How  do  we  prepare?  One  in  three 
companies  don’t  recover  from  unplanned  downtime.1  Would  we? 

_Gil  has  wrapped  everything  in  the  office  with  bubble  wrap. 
Everything.  Just  to  be  safe. 

_DAY  83:  Im  preparing  with  IBM  Business  Resilience  Solutions. 
IBM  Business  Continuity  Services  can  help  us  assess  our  risks 
and  design  a  proactive  plan  to  deal  with  them.  IBM  Tivoli  gives  us 
the  visibility  to  diagnose  and  fix  infrastructure  problems. 

And  the  robust  availability  features  of  the  IBM  System  p™  give 
us  maximum  uptime.  The  future  feels  so  much  safer  now. 

_No  more  bubble  wrap.  And  I  have  to  mail  a  package.  Great. 


Take  the  business  continuity  assessment  at: 

IBM.COM/TAKEBACKCONTROL/READY 


September  2007 


42  Team  Time 

CSO  UNDERCOVER  How  establishing  a  formal 
security  management  team  can  free  you  up  to 
focus  on  strategy. 


13  Briefing 

Washington  takes  on  global  warming  as  a 
national  security  threat;  Safeguarding  your 
brand  online;  Interview  with  Ram  Charan; 
Great  Britain  pushes  the  limits  of  modern 
surveillance;  New  activist  tool:  Cyber 
sit-ins;  John  Clippinger  promotes  user¬ 
centric  security 


48  Debriefing 

Pop  Quiz:  Underachieving  Thieves 


4  CSOonline.com 
6  From  the  Editor 
8  From  the  Publisher 


Letters 

Index 


20  Inside  the  Global  Hacking  Service  Economy 

INFORMATION  SECURITY  Gozi  and  Mpack,  iframes,  the  HangUp 
Team,  76Service— these  are  key  names  in  the  evolution  of  modern 
cybercrime,  where  identity  theft  is  point-and-click.  We  follow 
security  researchers  behind  the  curtain.  By  Scott  Berinato 


34  cover  story  Look  Smart 

VIDEO  ANALYTICS  Video  content  analysis  is  getting  better  all  the  time, 
but  it’s  still  new  enough  that  buyers  should  proceed  with  eyes  wide 
open.  By  Sarah  D.  Scalet 


4(  A  Disclosure  Proposal 

REGULATIONS  Two  attorneys  lead  an  online  debate  on  how  a  federal 
breach  disclosure  law  ought  to  look.  By  Sarah  D.  Scalet 


2  www.csoonline.com  September  2007 


COVER  PHOTO  BY  PETER  MURPHY 


We’ve  given  online  security  a  whole  new  color. 

Before  another  visitor  abandons  your  site,  consider 
why  sites  like  eBay?  Travelocity?  and  Charles 
Schwab®  use  VeriSign®  Extended  Validation  (EV)  SSL 
Certificates.  This  new  technology  turns  the  address 
bar  in  high-security  browsers  green,  indicating  it’s 
safe  to  transact  on  a  site.  That’s  the  power  of  the 
Web’s  most  trusted  name  in  security.  VeriSign. 

So  the  world  can:  proceed  securely  to  checkout. 


V3, 

Sfev  ;v 


|Hj  Get  your  free  EV  white  paper  at  www.verisign.com/dm/evssl  or  call  1-866-893-6565. 


oiSitn 


©2007  VeriSign,  Inc.  All  rights  reserved.  VeriSign,  the  VeriSign  logo,  the  checkmark  circle,  VeriSign  Secured,  and  other 
trademarks,  service  marks,  and  designs  are  registered  or  unregistered  trademarks  of  VeriSign  and  its  subsidiaries  in  the 
United  States  and  foreign  countries.  All  other  trademarks  are  property  of  their  respective  owners. 


#BPA 


WORLDWIDE 


President  and  CEO 

Michael  Friedenberg 
Publisher  Bob  Bragdon 

EDITORIAL 

Editor  in  Chief  Derek  Slater 
Executive  Editor  Scott  Berinato 
Senior  Editor  Sarah  D.  Scalet 
Assistant  Managing  Editor 
Emily  S.  Henderson 
Associate  Staff  Writers 
Christopher  Lynch,  Katherine  Walsh 
Senior  Copy  Editor 
Cathy  Mallen 
Copy  Editor 
Susan  Bryant-Still 
Editorial  Assistant 
Kristin  Burnham 
Editorial  Administrator 
Jill  Paquette 
Contributors 

Daintry  Duffy,  Robert  McMillan 

DESIGN 

Executive  Director,  Art  and 
Design  Mary  Lester 
Art  Director  Steve  Traynor 

RESEARCH 

Research  Manager 
Carolyn  Johnson 
Senior  Research  Analyst 
Seanna  Maguire 

ONLINE  EDITORIAL 

Online  Editorial  Director 
Christopher  Lindquist 
Online  Managing  Editor 
Michael  Goldberg 
Senior  Online  Editors 
Sandy  Kendall,  Meridith  Levinson, 
Shawna  McAlearney, 

Esther  Schindler 
Associate  Online  Editor 
Diann  Daniel 
Online  Writer  Al  Sacco 
Online  Copy  Editor 
David  Gradijan 

INFORMATION  SYSTEMS 

IDG  Director  of  Information 
Services  Nancy  Newkirk 
IT  Manager 
Sean  McCracken 
Senior  User  Support  Specialists 
Christopher  A.  Kay, 
Thomas  Lupien 
User  Services  Specialist 
Gloria  Lam 

Associate  User  Support  Specialist 
James  Brevard 
Senior  Web  Developer 

David  Cohen 

Web  Developer  Sanghee  Seo 

CXO  MEDIA  /  IDG 

COO  Matt  Smith 
CSO  Robert  Hayes 


CXO\.  MEDIA  INC. 

INTERNATIONAL  DATA  GROUP 

Board  Chairman 
Patrick  J.  McGovern 
President,  IDG  Communications 

Bob  Carrigan 


PCI  Is  Security  Simplicity, 
Not  Complexity 


om  September  2007 


Contributor  Ben  Rothke  says  the  data  security  standard  seems  to  make 
relatively  smart  people  instantly  dim-witted  as  they  complain  about  its 
so-called  complexity. 

www2.csoonline.com/exclusives/column.html?CID=33101 

People  Are  Not  Computers 

Blogger  Perry  Carpenter  chats  with  Bruce  Schneier  at  BlackHat. 

blogs.csoonline.com/people_are_not_computers 

The  Reluctant  Complainant 

Attorney  John  D.  Thompson  offers  security  and  investigations  advice  for 
HR  managers  and  other  nonsecurity  personnel. 

www2.  csoonline.com/exclusives/column.  html?CID=33102 

Government  Telework— What’s  the  Holdup? 

Michigan  CISO  Dan  Lohrmann  blogs  about  overlooked  considerations. 

blogs.csoonline.com/telework_scorecard_what_s_holding_ 

government_back 


-EXECUTIVE  EDITOR  SCOTT 
BERINATO  IN  “HOW  TO  GET 
YOUR  IPHONE  STOLEN” 
WWW.CSOONLINE.COM/ALARMED 


“iPhones  have  all 
the  elements  of  a 
good  theft  spree. 
They  are  expensive, 
small,  in  demand 
and  in  reasonably 
short  supply.” 


m\ 

l 

'  \r 

1  V' 

\  | 

/jL. *;  Y 

\ 

W>/ 

i  ifCj/A A 

*1:1 

»  Hackers  love  company.  Your  company.  Today,  criminals  methodically  target  corporations, 
orchestrating  attacks  to  steal  confidential  information:  “Hacking  for  profit.” 

In  addition  to  stopping  worms,  viruses  and  phishers,  you  need  to  crush  these  new,  systematic 
assaults  —  from  botnets  to  trojans.  Juniper  Networks  comprehensive,  cost-effective  threat 
management  solutions  provide  uncompromising  defense  for  your  network.  Only  Juniper  takes 
a  uniquely  holistic  approach,  dispatching  dedicated  protection  to  every  network  and  application 
layer  vulnerability  and  making  any  network  more  secure:  www.juniper.net/threatmanagement 


Juniper 

i 


Net 


1.888. JUNIPER 


From  the  Editor 


j 


What  Happens  Next 


CSO  celebrates  its  fifth  birthday  with  this  issue.  This  has 
been  a  fascinating  half  decade  for  observing  the  evolution 
of  the  security  profession. 


A  lot  has  happened,  for  better  or  worse.  The  CSO  position  grew  in  accep¬ 
tance  and  prominence.  Digital  and  physical  security  started  talking  to  each 
other.  DHS  took  its  first  wobbly  steps.  Messrs.  Sarbanes  and  Oxley  wielded 
their  mighty  hammer.  Telephone  calls  and  surveillance  videos  gravitated 
onto  the  IP  network.  The  discussion  of  security  value  and  security  metrics 
proceeded  in  fits  and  starts  (and  stops).  And  obviously  there’s  been  tremen¬ 
dous  geopolitical  turmoil. 

None  of  these  trends  has  reached  an  end  state.  Security  leaders  still  get 
fired.  There’s  still  squabbling  over  the  meaning  of  the  CSO  title.  DHS  needs 
to  grow  up.  The  regulatory  landscape  remains  unsettled;  federal  data  breach 
disclosure  bills  languish.  But  on  the  balance,  I’d  say  security  has  matured 
over  the  past  five  years.  Wouldn’t  you? 

Birthdays  and  anniversaries  are  good  for  pausing  and  looking  back  in 
this  way.  Looking  forward  is  tougher.  You  can’t  predict  every  event;  no  one 
knows  that  better  than  security  professionals. 

Still,  let’s  look  forward.  That’s  been  a  key  goal  for  CSO  since  our  incep¬ 
tion— you’ve  got  plenty  of  information  sources  that  tell  you  what  already 
happened;  our  objective  is  to  analyze  as  many  inputs  as  possible  and  offer 
intelligent  conjecture  to  help  you  stay  ahead  of  trends  instead  of  behind 
them.  My  predictions: 

■  The  connection  and  communication  between  security  and  insurance  func¬ 
tions  will  get  stronger.  I  don’t  know  if  RIMS  will  exactly  join  hands  and  sing 
Kumbaya  with  the  ASIS/ISSA/ISACA  troika,  but  greater  cooperation  is  the 
natural  and  necessary  next  step  in  convergence  or  holistic  risk  management. 


Companies  are  going  to  save  money  and  become 
more  resilient  as  a  result.  Bob  Hayes  (the  guy  I  always 
ask  when  I  want  to  know  what  happens  next)  and  his 
Security  Executive  Council  have  some  great  work  up 
their  sleeves  to  help  push  organizational  risk  manage¬ 
ment  to  new  levels  of  maturity. 

■  The  balance  of  power  will  shift  further  away  from 
security  vendors  and  integrators  and  toward  the 
guys  in  the  corporate  trenches.  The  ultimate  effect 
will  be  more  security  spending,  with  greater  benefit. 
This  is  precisely  what  happened  on  the  evolutionary 
path  of  the  information  technology  function:  As  the 
dominance  of  mainframe  vendors  waned,  customers 
won  new  flexibility  and  ultimately  found  themselves 
able  to  create  much  more  business  value.  Then  they 
got  bigger  budgets  to  do  that. 

■  In  the  near  future,  the  Internet  will  reach  a  crisis 
point  as  to  its  viability  as  a  commercial  channel.  (See 
Scott  Berinato’s  article  on  Page  20  for  a  look  at  a 
paradigm  shift  by  the  bad  guys.) 

If  those  predictions  turn  out  to  be  incorrect, 
here’s  one  I  know  to  be  true:  Next  month  you’ll  see 
a  redesigned  issue  of  CSO  land  on  your  desk,  with  a 
few  new  columns  and  departments  and  a  superclean, 
updated  look  courtesy  of  our  art  director,  Steve 
Traynor.  We  look  forward  to  continuing  to  serve  the 
security  community  for  the  next  half  decade  and 
beyond— whatever  those  years  may  bring. 

-Derek  Slater 
dslater@  cxo.  com 


6  www.csoonline.com  September  2007 


PHOTO  BY  WEBB  CHAPPELL 


MONITORING  I  ACCESS  CONTROL  I  VIDEO  SURVEILLANCE  I  RFID  I  INTRUSION  DETECTION  I  EAS  I  FIRE  &  LIFE  SAFETY 


COMMERCIAL  SOLUTION 


When  physical  security  and 
IT  work  together,  everybody  wins. 

You  can  leverage  your  respective  strengths  to  deliver  new  levels  of  performance,  gain  greater  returns  on  your 
security  investment  and  reduce  your  total  cost  of  ownership.  And  few  companies  are  more  experienced 
at  bringing  people  together  to  address  security  issues  than  ADT.  In  fact,  we've  been  helping  customers 
use  innovative  solutions  to  address  new  challenges  for  more  than  130  years.  Let  us  help  you  do  the  same. 
After  all,  the  best  way  to  face  new  challenges  is  with  New  Thinking. 

For  more  information  on  our  convergence  capabilities  or  to  learn  about  Secure  World  Expos,  call  T888-228-0274 
or  go  to  ADT.com/convergence. 


oioiooioiooirm  ooioooioiomooiooioiooioiooioioiooaion  i, 

1001010111100100101100101001010101010010101010010103 

10100100010101010001001010100100100100101010101010101010010 

1,0101000100111001000100101 

10  i  1,100101010110010101010100101101010010010100010010010101c 


101001010101101 


jiaioioioioioioiooiaioioooioioiiiooiooiooifj i. 


i1  J,  l3G3i,  0  0 100  111  100 10 10011 01 001 0100 100 10 10 10 1010000101101 

1001010101100101 

,010010011001001010010101000  ,10 11010010101 
.  .l;  3  13,10010101001010010101010100100010010010010 

100101001000010010100010013 

luioiiooioiaioioaioiooiu 


1000101  ; 
10100100103.  J010010D1.1 

lOOlDlOlOf  .01011103 
1100103  3.1010100103 


ADT  Always  There 1 


ADT  state  license  numbers  are  available  for  review  on  www.adt.com  or  by  contacting  1-800-ADT-ASAP®  Copyright  ©2007  ADT  Security  Services,  Inc.  All  Rights  Reserved  ADT,  the  ADT  logo,  ADT  Always  There  and  1-800-ADT-ASAP  are  registered 1  foemarte  of  ADT 

Services  AG,  and  are  used  under  license. 


From  the  Publisher 


Shame  on  the  Journal 


As  if  managing  security  in  your  enterprise  isn’t  hard 
enough,  The  Wall  Street  Journal,  in  its  August  1st  article 
“Ten  Things  Your  IT  Department  Won’t  Tell  You,”  outlined 


how  employees  could  get  around  the  system  restrictions  imposed  by  their 
IT  security  teams.  I  will  give  the  Journal  some  credit;  it  did  point  out  the 
risks  involved  with  sidestepping  these  restrictions  and  how  to  do  so  safely, 
but  the  fact  that  it  feels  the  need  to  publish  security  workarounds  really 
amazes  me.  I  can  just  imagine  the  employee  thinking  this  encourages.... 

1.  How  to  send  giant  files.  “I  can’t  help  it  that  these  customer  databases 
are  so  large,”  the  employee  thinks.  “There  aren’t  enough  hours  in  the  day  for 
me  to  do  the  customer  analyses  my  boss  wants,  so  I  have  to  bring  those  files 
home.  Our  stupid  IT  department  has  locked  down  our  USB  ports  and  won’t 
let  me  send  anything  on  e-mail  larger  than  2MB.  Why  does  my  boss  need 
to  know  how  many  customers  have  Social  Security  numbers  that  begin  with 
302  anyway?” 

2.  How  to  use  software  that  your  company  won’t  let  you  download. 

“Instant  messaging  software,  for  example?  Easy.  I’ll  just  use  a  Web-based 
version  of  IM.  What  do  you  mean,  we  have  to  retain  all  our  IM  communi¬ 
cations  to  meet  e-discovery  and  data  retention  regulations?  Sox... that’s  a 
baseball  team,  right?” 

3.  How  to  visit  the  websites  your  company  blocks.  “I  can’t  believe 


my  company  won’t  let  me  visit  that  online  gambling 
site.  How  else  am  I  going  to  pay  back  my  bookie? 
Never  mind  I  have  to  get  back  to  managing  our 
customers’  healthcare  claims.” 

The  Journal  goes  on  from  there— how  to  clear 
your  tracks  on  your  work  laptop,  how  to  search  for 
your  work  documents  from  home,  how  to  store  work 
files  online  and  so  on. 

By  all  accounts  the  staff  of  the  Journal  is  very 
concerned  over  what  will  happen  when  Rupert 
Murdoch’s  News  Corp.  takes  over.  My  advice  to 
Mr.  Murdoch:  Pray  that  the  JournaFs  staff  isn’t 
reading  its  own  articles  or  you  may  need  to  bring 
in  a  crack  security  team  to  get  things  under  control. 
Maybe  there  is  a  benefit  for  at  least  one  CSO  in  all 
of  this? 

-Bob  Bragdon 
bbragdon  @  cxo.com 


HOW  TO  REACH  US  E-mail  csoletters@cxo.com  Phone 
508  872-0080  Fax  508  879-7784  Address  CSO  Maga¬ 
zine,  492  Old  Connecticut  Path,  P.0.  Box  9208,  Framing¬ 
ham,  MA  01701-9208:  Subscriber  Services  Phone  866 
354-1125  Fax  847  564-9453  E-mail  cso@omeda.com : 
Reprints  For  article  reprints  (100  quantity  or  more),  con¬ 
tact  Keith  Williams  at  PARS  International  at  212  221-9595 
x319  or  e-mail  keith.williams@parsintl.com. 


ABOUT  IDG  International  Data  Group  (IDG),  the  lead¬ 
ing  global  provider  of  IT  media,  research,  conferences  and 
events,  informs  more  people  about  technology  than  any 
other  company  in  the  world.  Offering  the  widest  range  of 
media  options,  IDG  reaches  more  than  120  million  tech¬ 
nology  buyers  in  85  countries  representing  95  percent 
of  worldwide  IT  spending.  IDG  publishes  more  than  300 
newspapers  and  magazines  in  85  countries,  led  by  the 
Computerworid,  Infoworld,  Macworld,  Network  World,  PC 


World  and  CIO  global  product  lines.  IDG  offers  online  users 
the  largest  network  of  technology-specific  sites  around  the 
world  through  IDG.net  ( www.idg.net ),  a  gateway  to  IDG's 
330  websites  powered  by  more  than  2,000  journalists 
reporting  from  every  continent  in  the  world.  IDG  also  pro¬ 
duces  168  technology-related  conferences  and  events,  and 
research  company  IDC  provides  global  market  intelligence, 
analysis  and  forecasts  in  43  countries. 


8  www.csoonline.com  September  2007 


PHOTO  BY  CHRISTOPHER  NAVIN 


,  t  •  Vf  '  ;  : Kf ; 


EX 


S  FORUM 


r  .  •  :  -r  ••■  -  iildi 

d  :■■■-■  '  ,  ' 


r'-".  j  .  ..'  ip!  y  •-  5 


STRENGTHENING  THE 
ENTERPRISE  BY  ALIGNING 
PRIVACY  PROGRAMS 
AND  IT  SECURITY 

Also  Inside: 

Q  &  A  with  Executive 
Women’s  Forum  and 
Academic  Executives 
PAGE  3 

Security  as  a 
Business  Enabler 
PAGE  6 

Building  the  Best 
Risk  Management  Team 
PAGE  8 

Protecting 
Personal  Data 
PAGE  12 

How  to  Create  a 
Security  Training 
Program 
PAGE  14 


cso 

Custom  Solutions  Group 


5th  Annual 

EXECUTIVE  WOMEN’S 

|Hi|  Information  Security,  Risk 
rUKUIVI  Management  &  Privacy 


September  19-21, 2007  |  Hyatt  Regency  Resort  &  Spa  |  Scottsdale,  AZ 


Managing  Risk  Through  Collaboration 

Hosted  by  Alta  Associates,  Inc.  the  5  th  Annual  Executive  Women’s 
Forum  (EWF)  brings  together  more  than  200  women  of  influence, 
power  and  intelligence  to  explore  the  impact  of  managing  risk 
through  collaboration  in  today’s  global  business  environment. 

The  EWF  provides  a  casual  venue  that  fosters  the  development 
of  creative  ideas,  innovative  solutions  and  deep  relationships. 

Join  your  peers  to  explore  how  we  are  connecting  the  dots. 


KEYNOTE  SPEAKERS 

DR.  CLAUDIA  NATANSON 
Chief  Information  Security  Officer 
Diageo 


WOMEN  OF 
INFLUENCE  AWARDS 

Nominate  your  peers,  clients  and 
customers  for  the  Women  of 
Influence  Awards.  Co-presented 
by  CSO  magazine  and  Alta  Associ¬ 
ates,  the  awards  honor  four  women 
for  their  accomplishments  and 
leadership  roles  in  the  fields  of 
security,  risk  management  and 
privacy.  Winners  will  be  announced 
at  an  awards  ceremony  during  the 
Executive  Women's  Forum. 

NOMINATION  FORM  AVAILABLE 
AT:  http://public.cxo.com/ 
awards/applicationWOI_2007.html 

Nominations  must  be  submitted  by 
August  1, 2007. 

Media  sponsor  &  awards  co-presenter: 


The  Resource  for  Security  Executives 


Forum  host  &  awards  co-presenter: 


ILLUSTRATION  BY  JIM  FRAZIER 


Executive  Women's  Forum 


VIEWPOINT: 


Managing 
Risk  Through 
Collaboration 

Q&A  with  Privacy  and  Security  Leaders 
from  Procter  &  Gamble,  Microsoft,  AARP 
and  Carnegie  Mellon  University 


CXO  Media  writer  Debby  Young  spoke  with  members  of  the 

Executive  Women’s  Forum  from  industry,  technology,  service 
id  education  about  the  importance  of  collaboration  in  manag¬ 
ing  privacy,  and  security  risks.  The  women,  who  will  gather  to 
discuss  these  and  other  issues  at  this  year’s  event,  included  Sandy 
Hughes,  global  privacy  executive  for  Procter  &  Gamble;  Kim 
Hargraves,  group  manager  of  privacy  strategy  for  Microsoft;  Su¬ 
zanne  Hall,  director  of  IT  operations  and  security  for  AARP;  and 
Lorrie  Cranor,  associate  research  professor  in  computer  science 
and  engineering  and  public  policy  at  Carnegie  Mellon  University. 

Q:  What's  driving  the  collaboration  between  privacy  and  IT  security  in  your 
organization? 

Sandy  Hughes:  With  the  advent  of  the  Internet  and  the  possibilities  it  of¬ 
fers  for  direct-to-consumer  marketing,  Procter  &  Gamble  instituted  a  full  pri¬ 
vacy  program  that  is  executed  via  a  Global  Privacy  Council.  The  GPC  includes 
business  representatives  from  all  areas  that  collect  and  manage  data,  as  well  as 
corporate  resources  from  IT  security,  government  relations,  corporate  security 
and  legal  counsel.  As  solid  IT  security  is  the  foundation  for  an  effective  privacy 
program,  we  work  on  common  projects.  For  example,  we  cross-reference  each 
other  in  our  training  programs  and  on  our  Web  sites  and  work  together  on 
incident  response.  Simply  illustrated,  if  an  employee  laptop  is  stolen,  corporate 
security  may  do  the  investigation,  while  IT  security  may  research  what  data  was 
stored  on  the  laptop  and  how.  If  any  personal  data  is  found  to  be  compromised. 


ADVERTISING  SUPPLEMENT 


(SO  jH 

EXECUTIVE  WOMEN'S  FORUM 

SEPTEMBER  CSO  •  VOLUME  3,  NUMBER  1 


Leadership 
Insights  by: 

Alta  Associates 

PAGE  8 


CA,  Inc. 

PAGE  6 


Executive 
Women's  Forum 

PAGE  3 


Microsoft 

PAGE  10 


Sun  Microsystems 

PAGE  12 


Symantec 


PAGE  14 


What  began  as 
a  conference 
has  blossomed 
into  a  vital  and 
trusted  network  of 
people  who  share 
common  goals  and 
challenges. 

— Joyce  Brocaglia 

CEO,  Alta  Associates 

CS0F0CUS  3 


ADVERTISING  SUPPLEMENT 


Q&A 


the  privacy  group  may  help  to  develop 
the  action  plan  to  resolve  the  issues. 

Kim  Hargraves:  Microsoft’s  goal 
is  to  integrate  privacy  and  security 
into  every  facet  of  the  company.  To 
drive  that  discipline,  our  security  and 
privacy  groups  collaborated  to  create 
educational  tools  called  “privacy-in- 
a-box”  and  “security-in-a-box.”  These 
kits,  aimed  at  enterprise  leaders,  con¬ 
tain  training  materials,  guidelines,  best 
practices  and  resources  for  subject- 
matter  expertise.  In  addition,  both 
groups  use  the  same  risk  management 
processes  to  identify  and  evaluate 
risks.  Our  two  teams  meet  on  a  regular 
basis  to  talk  about  overlapping  areas 
so  that  we  can  launch  joint  initiatives 
and  avoid  duplicating  efforts.  In  the 
last  round  of  risk  assessments,  for  ex¬ 
ample,  both  groups  identified  credit 
card  data  as  a  key  risk.  By  combining 
our  resources  and  building  an  action 
plan  together,  we  created  a  compel¬ 
ling  business  case  for  implementing  a 
payment  card  security  program  that  is 
consistent  across  our  operations. 

Suzanne  Hall:  As  strong  advo¬ 
cates  for  key  privacy  regulations  like 
the  Gramm-Leach-Bliley  Act  (GLBA) 
for  consumer  financial  data  and  the 
Health  Insurance  Portability  and  Ac¬ 
countability  Act  (HIPAA)  for  medi¬ 
cal  records,  AARP  looked  to  our  own 
policies  and  questioned  how  we’d 
implement  those  regulations.  We 
soon  made  the  connection  that  you 
can  have  good  security  and  not  have 
good  privacy.  But  you  can’t  have  good 
privacy  without  good  security.  So  we 
formalized  the  relationship  between 
security  and  privacy  and  established 
the  AARP  Security  Council,  of  which 
the  privacy  officer  is  a  member. 


Lorrie  Cranor:  Universities  have 
had  to  comply  with  privacy  regu¬ 
lations  since  the  enactment  of  the 
Family  Educational  Rights  and  Pri¬ 
vacy  Act  in  1974,  and  now  must  also 
comply  with  HIPAA,  GLBA  and  other 
privacy  regulations.  But  with  all  the 
recently  publicized  privacy  breaches 
at  universities,  Carnegie  Mellon’s  In¬ 
formation  Security  Office  conducted 
a  fairly  comprehensive  survey  to  find 
out  where  sensitive  data  was  being 
stored  at  the  university.  We  found  that 
we,  like  many  universities,  are  facing  a 
huge  problem  protecting  the  privacy 
of  student  records  because  most  fac¬ 
ulty  members  store  that  information 
on  their  laptops.  The  ISO  has  been 
educating  faculty  to  avoid  storing 
sensitive  data  on  laptops  if  at  all  pos¬ 
sible  and  to  dispose  of  it  as  soon  as  it 
is  no  longer  needed. 

Q:  What  are  some  of  the  common 
pitfalls  to  avoid  when  collaborating 
across  disciplines? 

Hughes:  IT  security  has  a  much 
broader  scope,  including  protecting 
proprietary  data  about  initiatives, 
formula  cards  and  applications  that 
don’t  contain  personally  identifiable 
information.  In  contrast,  global  pri¬ 
vacy  is  concerned  with  how  personal 
data  is  collected  and  managed  and 


fulfilling  our  “contract”  with  those 
who  provide  it  whether  they  are  in¬ 
ternal  or  external  to  the  company.  It’s 
important  to  understand  and  respect 
the  scope  and  objectives  of  each  orga¬ 
nization  and  then  identify  the  overlap 
areas  that  can  be  addressed  jointly. 

Hargraves:  Privacy  and  security 
each  have  their  own  vision  and  mis¬ 
sion.  Sometimes  they  are  not  related. 
So  we  have  to  be  careful  to  find  the 
right  balance  between  achieving  our 
own  objectives  and  finding  time  to 
collaborate  on  related  projects  that 
are  strategic  to  the  company. 

Hall:  Privacy  and  security  need  to 
encompass  the  entire  extended  en¬ 
terprise — not  just  what  we  do  as  an 
individual  business,  but  also  all  the 
partner  organizations  that  we  work 
with  to  deliver  services  to  our  cus¬ 
tomer  base.  When  we  contract  with 
unaffiliated  third  parties,  we  need  to 
include  security  and  privacy  terms 
and  conditions  in  the  contract  along 
with  the  legal  ones.  Today,  when  we 
deal  with  other  organizations  that  are 
going  to  have  access  to  any  of  our  sys¬ 
tems  or  our  data  or  our  membership 
lists,  our  privacy  and  security  teams 
are  part  of  the  vetting  process  and  the 
contract  negotiations. 

Cranor:  Carnegie  Mellon,  like  a  lot 
of  educational  institutions,  lacks  an 


For  more  information  about  the 

Executive  Women’s  Forum, 

please  visit 

www.infosecuritywomen.com 


4  CSOFOCUS 


ADVERTISING  SUPPLEMENT 


overarching  framework  for  treating 
privacy  issues  consistently  across  the 
university.  A  formal  comprehensive 
privacy  policy  would  be  a  valuable 
reminder  of  what  our  policy  is  and 
serve  as  a  point  of  reference  for  iden¬ 
tifying  activity  that  is  breaching  that 
policy.  But  we  have  modified  some  of 
our  applications  and  policies  to  limit 
dissemination  of  personal  informa¬ 
tion.  For  instance,  because  public 
e-mail  has  proven  to  be  a  vulnerable 
communication  medium,  faculty  no 
longer  receive  a  student’s  ID  number 
(Social  Security  number  or  university- 
assigned  numeric  code)  when  down¬ 
loading  the  class  roster.  And  when 
faculty  submit  grades  online,  the  con¬ 
firmation  e-mails  no  longer  include  a 
copy  of  the  grades  received. 

Q:  What  are  some  of  the  issues  on 
the  horizon  that  might  impact  how 
organizations  align  their  privacy 
and  security  programs? 

Hughes:  Procter  &  Gamble  is  one 
of  many  companies  deploying  radio- 
frequency  identification  (RFID)  tags 
at  the  pallet  and  case  levels  to  improve 
supply  chain  management  from  the 
factory  to  retailers.  Extending  that 
technology  to  the  item  level  would 
help  to  deter  theft,  make  checkout  and 
returns  faster,  and  speed  item  removal 
from  shelves  during  product  recalls 
or  when  expiration  dates  have  been 
reached.  On  the  other  hand,  consum¬ 
ers  have  raised  concerns  that  RFID 
tags  could  be  used  to  track  and  profile 
them  whenever  they  make  a  purchase 
and  leave  the  store.  RFID  users  and 
providers  are  working  together  to 
build  security  safeguards  and  set  pri¬ 
vacy  guidelines  that  alleviate  any  real 


or  perceived  harm  to  consumers. 

Hargraves:  There  is  real  pressure 
coming  from  legislation  surround¬ 
ing  data  breach  notifications.  This  is 
an  area  where  privacy  and  security 
are  going  to  have  to  react  in  concert, 
and  do  it  quickly  and  seamlessly. 
Consumers  need  to  be  notified  of 
potential  harm,  as  well  as  provided 


remediation.  Companies  also  need 
to  conduct  forensic  analysis  on  pro¬ 
cesses  and  systems  and  maintain  ef¬ 
fective  chains  of  evidence  in  case  of 
criminal  prosecution.  So  we  need  a 
comprehensive  privacy  and  security 
program  in  place  to  address  evolving 
state  and  federal  regulations. 

Hall:  It  takes  a  lot  of  strategic  plan¬ 
ning  to  establish  a  satisfactory  balance 
between  respecting  individual  privacy 
and  gathering  sufficient  information 
to  understand  the  preferences  of  the 
market  and  customize  how  we  reach 
out  to  our  constituents.  On  another 
front,  the  more  successful  we  become 
at  building  security  and  privacy  into 
our  technology,  the  more  invisible 
we  become  to  the  enterprise,  our 
customers  and  our  partners.  But  we 
can’t  achieve  that  level  of  maturity 
without  funding  and  being  included 
in  strategic  planning  discussions.  So 
the  challenge  is  how  to  ensure  that 
this  invisible  service  stays  at  the  top 
of  the  funding  list. 

Cranor:  A  big  issue  is  the  tension 


between  security  monitoring  and  ex¬ 
pectations  of  privacy.  Universities  are 
being  asked  to  play  a  role  in  monitor¬ 
ing  for  intellectual  property  protec¬ 
tion  and  even  physical  security.  Uni¬ 
versity  policies  must  strike  a  balance 
between  privacy  and  security  needs 
while  complying  with  a  number  of 
applicable  regulations.  Another  issue 


is  the  proliferation  of  unsecured  wire¬ 
less  networks,  which  has  increased  our 
risk  of  exposure.  Faculty  and  students 
think  nothing  of  logging  onto  the 
university  network  from  local  coffee 
shops  and  other  public  environments. 
The  university  is  trying  to  address  that 
vulnerability  by  adding  virtual  private 
network  facilities  to  most  of  the  cam¬ 
pus  e-mail  servers.  Another  concern 
we  have  is  the  social  networks — like 
Facebook,  MySpace  and  Friendster — 
that  students  are  using  to  share  all  sorts 
of  information.  Many  don’t  seem  to  be 
aware  of  the  associated  privacy  issues. 

Hughes:  Because  people  working 
in  security  and  privacy  or  compliance 
and  governance  roles  are  in  a  special¬ 
ized  niche,  they  don’t  often  receive  the 
kudos  that  some  of  the  more  visible 
roles  in  the  company  do.  So  it’s  crucial 
for  companies  to  provide  personal 
development  guidelines,  skills  de¬ 
velopment  opportunities  and  career 
paths  that  recognize  and  reward  their 
crucial  role  in  the  business’  continued 
well  being.  ■ 


“Privacy  and  security  need  to 
encompass  the  entire  extended 
enterprise,  not  just  what  we  do 
as  an  individual  business.” 


CSOFOCUS  R 


ADVERTISING  SUPPLEMENT 


CA,  Inc. 


Reframing 
the  question 
from  restriction 
to  innovation 


Securing  the 

Extended 


Enterprise 


With  organizational  perimeters  becoming  increasingly 

perforated — by  workforce  mobility,  Web  services  and  a  degree 
of  integration  with  business  partners  and  customers  never  seen 
before — the  scope  of  securing  the  corporate  infrastructure  now 
expands  far  beyond  a  company’s  four  walls.  To  remain  relevant  in 
this  new  era  of  the  extended  enterprise,  security  must  transform 
its  role  from  access  inhibitor  to  business  enabler.  This  requires 


an  expansion  of  focus  beyond  the  tra¬ 
ditional  areas  of  endpoint  and  infra¬ 
structure  security  to  a  new  model  that 
reflects  regulatory  compliance  and 
business/ operational  and  reputational 
risk  and  that  has  a  continuous  compli¬ 
ance  framework  to  guide  the  business. 

Laying  the  Foundation  for 
Innovation  and  Value 

The  evolution  of  security’s  role  within 
an  organization  requires  redefining 
it  in  the  IT  organization  as  well  as  in 
the  business.  Here  are  some  of  the 
areas  that  can  provide  the  right  level 
of  focus: 

1.  Establish  a  formal  business  risk 
management  program  that  is  in¬ 
tegral  to  the  vision  of  the  business, 
and  institute  a  governance  process 
around  the  program. 


2 .  Ensure  that  your  risk  management 
program  communicates  in  the 
language  of  your  businesspeople, 
not  in  technical  or  purely  security 
terms. 

3.  Do  not  just  rely  on  return  on  se¬ 
curity  investment  (ROSI).  Reputa¬ 
tion  and  trust  are  priceless. 

4.  Educate  the  business  about  your 
security  and  risk  imperatives. 

5.  Create  a  defined  portfolio  of  se¬ 
curity  services  aimed  at  helping 
and  supporting  innovation,  so  the 
business  owners  and  innovators 
can  understand  how  to  leverage 


your  security  program  to  enhance 
the  value  of  their  ideas. 

6.  Develop  a  dashboard  so  that  ev¬ 
eryone  can  understand  how  the 
organization  is  creating  and  im¬ 
proving  sustainable  compliance 
measures  and  controls. 

7.  Embrace  some  of  the  newer  best 
practices  for  security,  such  as  ISO 
27001  and  Financial  Institution 
Shared  Assessments  Program 
(FISAP).  Even  though  you  might 
not  be  in  the  financial  industry, 
standards  such  as  FISAP  (http:// 
www.bitsinfo.org/FISAP/)  can 
provide  some  guidance  for  inclin¬ 
ing  your  security  stance  toward 
innovation. 

8.  Meet  with  the  people  who  discuss 
how  your  organization  is  going 
to  develop  new  services  and  capa¬ 
bilities. 

If  you  implement  most  or  all 
of  these  measures,  your  organiza¬ 
tion  will  have  established  important 
components  for  secure  innovation, 
but  there  is  a  caveat.  Make  sure  the 
people  working  with  the  business  are 
not  dedicated  solely  to  that  task.  They 
should  also  have  involvement  and/or 


6  CSOFOCUS 


ADVERTISING  SUPPLEMENT 


responsibility  in  the  operations  and 
delivery  of  your  security  services.  This 
will  keep  them  grounded  and  ensure 
that  the  solutions  and  ideas  being  dis¬ 
cussed  and  implemented  will  work  in 
your  operational  environment. 

It  is  also  important  to  note  that 
in  this  approach,  there  is  a  need  for  a 
defined  portfolio  of  security  services, 
instituting  measures  of  success  and 
dashboards.  All  of  these  tools  implic¬ 
itly  infer  the  need  for  a  formalized 
framework  that  supports  the  articu¬ 
lation  of  security  in  terms  that  are 
relevant  to  different  audiences. 

Common  Denominators  for 
Security  and  Privacy 

A  common  framework — one  that 
looks  at  how  to  enable  the  develop¬ 
ment  of  innovative  ideas  and  solu¬ 
tions  from  cradle  to  grave — is  critical. 
Instead  of  simply  throwing  technol¬ 
ogy  at  a  problem,  CIOs  and  CISOs 
must  adopt  a  systematic  approach  to 
articulating  the  risk  and  then  finding 
the  right  solution.  The  first  step  is  en¬ 
suring  that  your  policies  are  aligned 
with  your  organization’s  business 
goals,  risk-acceptance  profile  and 
operational  imperatives. 

The  second  step  is  applying  the 
policies  and  finding  the  solutions  that 
enable  your  organization  to  deliver 
new  services  and  products  that  dif¬ 
ferentiate  it  from  its  competitors. 

The  fun  part  is  finding  the  potential 
risks  and  threats  and  the  solutions  that 
work.  When  you’re  looking  at  a  new 
concept  or  idea,  step  back  and  think 
about  potential  problems.  Be  careful 
not  to  upset  your  colleagues  by  finding 
nothing  but  problems.  Make  sure  that 
the  security  people  understand  that 


they,  too,  must  have  solutions. 

Here  are  some  ways  to  support  the 
business  and  secure  the  extended  en¬ 
terprise  in  four  areas: 

■  Mobile  users.  The  loss  of  a  mobile 
device  is  more  troubling  than  just 
the  inconvenience:  the  personal, 
corporate  and  customer  data  on  it, 
if  exposed,  poses  a  significant  risk. 
Thus,  there  is  a  need  for  security  at 
the  endpoint  and  remote  manage¬ 
ment  capabilities  that  enable  you  to 
wipe  the  lost  device  clean. 

■  External  business  partners.  The 
lines  are  blurred:  some  of  your  em¬ 
ployees  could  also  be  customers  or 
even  external  business  partners.  So 
how  do  you  give  them  the  appropri¬ 
ate  level  of  access  to  perform  each 
of  their  functions  yet  also  have  the 
necessary  separation  of  duties?  This 
requires  working  with  the  business 
to  establish  clear  role  definitions.  It 
also  means  knowing  your  custom¬ 
ers,  partners  and  employees.  Only 
then  can  you  move  forward  with  the 
trusted  relationships  needed  to  pro¬ 
vide  seamless  services  to  customers. 

■  Offshoring.  Before  you  ink  a  deal 
with  an  offshore  company,  review 
your  access  control  policies  and 
check  whether  the  contract  re¬ 
quires  the  vendor  to  access  your 
onshore  infrastructure.  Implement 
rudimentary  access  control  policies 
such  as  scoping  root  and  other  su¬ 
perusers,  and  ensure  that  you  have 
removed  shared  user  IDs. 

■  Entitlements  management.  How 
do  you  automate  response  to  this 
daily,  monthly  or  quarterly  ques¬ 
tion:  To  what  systems  and  appli¬ 
cations  do  users  have  access?  Put 
a  process  and  system  in  place  that 


mines  this  data  from  most  of  your 
common  systems.  You  may  be  able 
to  leverage  such  systems  for  cost 
savings  or,  at  the  very  least,  cost 
avoidance,  which  may  give  you  the 
flexibility  to  apply  your  resources  to 
other  mission-critical  tasks. 

Breaking  Out  of  the 
Locked-Down  Mentality 

Security  is  no  longer  just  a  matter 
of  keeping  people  out  but  also  a  way 
of  safely  letting  more  business  in.  To 
add  value  to  the  organization,  security 
and  privacy  groups  must  assess  their 
activities  in  terms  of  the  company’s 
overall  risk  framework.  They  need  to 
offer  innovative  and  practical  ways 
to  facilitate  business  throughout  the 
extended  enterprise  to  protect  digital 
assets  and  data  privacy  without  im¬ 
peding  growth.  ■ 

Bernadette  Nixon  is  senior  vice  presi¬ 
dent  and  general  manager  of  Northeast 
U.S.  and  country  manager  of  Canada 
for  CA,  Inc.,  and  Joanne  Moretti  is 
senior  vice  president  and  general  man¬ 
ager  of  U.S.  West  for  CA,  Inc. 

CA  is  a  recognized  leader  in  enterprise  IT 
security  and  management  software.  CA  of¬ 
fers  comprehensive  and  integrated  security 
management  solutions  that  enable  organiza¬ 
tions  to  align  security  with  corporate  business 
processes,  achieve  operational  efficiency,  enable 
regulatory  compliance,  mitigate  operational  risk, 
ensure  service  continuity,  and  enable  business 
growth.  CA  solutions  address  the  entire  spec¬ 
trum  of  security  challenges,  including  identity 
and  access  management,  threat  management, 
and  security  information  and  event  manage¬ 
ment.  CA  security  management  solutions  are  in 
use  today  by  the  majority  of  the  Fortune  500, 
helping  these  leading  organizations  reduce  the 
complexity  and  cost  of  their  security  manage¬ 
ment  while  protecting  critical  corporate  systems 
and  data  and  enabling  business  growth.  For 
more  information:  www.ca.com/secure. 


CS0F0CUS 


ADVERTISING  SUPPLEMENT 


Alta  Associates 


The  Rising 
Risk  Factor 

The  Human  Capital  Element 

As  companies  scramble  to  comply  with  the  many  new  regu- 

lations  around  information  security  and  privacy,  senior  ex¬ 
ecutives  and  boards  of  directors  are  stepping  up  to  the  plate 
now  more  than  ever  to  support  risk  management  initiatives. 

The  threat  of  significant  fines  and  possible  incarceration 
are  certainly  underlying  motives.  But  the  changing  landscape 
of  doing  business  globally  and  the  growing  reliance  on  tech¬ 


nology  have  also  raised  the  risk 
factors.  Another  strong  impetus 
for  action  is  the  general  public’s 
awareness  of  issues  regarding  their 
privacy  and  protection  of  their  per¬ 
sonal  data. 

The  most  senior-level  executives 
rely  on  timely  and  actionable  risk 
information  to  make  decisions  that 
will  drive  corporate  efficiencies  and 
operational  effectiveness.  They  rec¬ 
ognize  that  effective  risk  programs 
ultimately  improve  customer  ser¬ 
vice  and  confidence,  and  increase 
shareholder  value. 

In  fact,  the  2007  State  of  the  CIO 
survey  of  IT  leadership  indicated 
that  risk  management,  information 
security  and  data  integrity  are  top 
priorities  for  IT  organizations  in 
the  year  ahead.  But  this  raises  a  key 
question:  Do  organizations  have 
the  essential  skills  needed  to  imple¬ 
ment  these  critical  programs? 


Who's  in  Charge? 

Information  security  and  privacy 
are  just  small  slices  of  the  opera¬ 
tional  risk  pie.  Today,  companies 
are  taking  a  more  holistic  approach 
to  evaluating  and  mitigating  risk. 
It’s  no  longer  sufficient  for  the  in¬ 
formation  security  officer  to  simply 
excel  in  the  technical  arena  or  for 
the  privacy  officer  to  be  an  expert 
in  jurisprudence.  The  positions 
they  hold  demand  a  much  broader 
skill  set,  including  leadership  and 
adaptability,  communication  and 
relationship  building. 

Collaborative  skills  provide  the 
essential  glue.  Once  security  and 
privacy  officers  understand  the  risk 


appetites  of  all  their  business  units 
and  the  company  as  a  whole,  they 
need  to  create  consensus  among  the 
stakeholders  to  put  an  action  plan 
in  play  and  keep  it  running. 

The  way  security  and  privacy 
officers  really  get  things  done  is 
through  influence.  They  must 
find  thought  leaders  within  their 
organizations  who  can  meet  with 
business  units  and  build  a  strong 
network  of  cooperation  to  increase 
the  likelihood  of  success  for  any  risk 
management  initiative.  Forward- 
thinking  companies  recognize  that 
business  and  IT  executives  must 
collaboratively  and  effectively  es¬ 
tablish  standardized,  repeatable 
ways  to  identify,  prioritize,  measure 
and  reduce  business  and  technology 
risks.  This  means  that  security  and 
privacy  professionals  who  were  used 
to  working  in  their  own  silo  must 
now  consider  all  business-related 
risks  to  align  investments  properly 
with  exposures. 

Creating  a  Culture  of 
Collaboration 

“People,  process  and  technology” 
is  an  often-used  phrase.  There’s  a 
reason  why  people  come  first.  Ulti¬ 
mately,  it  is  the  strength  of  an  orga¬ 
nization’s  human  capital  and  their 
ability  to  take  individual  ownership 
and  responsibility  for  their  actions 
that  will  build  a  resilient  organiza¬ 
tion.  What  needs  to  be  in  place  to 
leverage  the  human  capital  in  an 
organization  to  effectively  build  a 
risk  management  program?  The 
following  checklist  is  a  great  place 
to  start: 

1.  Support  from  the  top  down. 


8  CSOFOCUS 


ADVERTISING  SUPPLEMENT 


Building  trust-based  relationships 
throughout  the  organization  has  to 
start  at  the  top.  The  executive  board 
and  the  organization’s  most  senior  ex¬ 
ecutives  must  present  a  united  front  on 
the  importance  of  information  secu¬ 
rity  and  privacy.  If  they  mandate  risk 
mitigation  programs,  they  empower 
security  and  privacy  departments  to 
act  as  enablers  for  the  business. 

2.  Schedule  face  time.  Getting  ev¬ 
eryone  talking  to  one  another  and  un¬ 
derstanding  each  other’s  concerns  and 
objectives  isn’t  an  easy  task.  Teams  are 
often  globally  dispersed.  Depth  of  ex¬ 
pertise  in  key  areas  tends  to  vary.  Risk 
appetites  differ  among  business  units. 
Therefore  it’s  imperative  to  schedule 
face-to-face  meetings  on  a  regular  ba¬ 
sis  among  key  stakeholders  to  forestall 
any  misunderstandings  that  might 
derail  effective  collaboration. 

3.  Document  everything.  Essential 
requirements  for  risk  management 
initiatives  have  to  be  put  in  writing. 
This  ensures  that  implementation  is 
consistent  throughout  the  enterprise, 
and  it  provides  a  cohesive  argument 
for  acquiring  the  necessary  funding 
and  ongoing  support. 

4.  Step  up  awareness  and  training. 
Every  employee  and  business  partner 
must  become  security-minded.  Tech¬ 
nology  and  processes  must  be  put  in 
place  to  mitigate  risks,  and  people 
must  be  educated  about  why  security 
and  privacy  are  so  important  to  the 
company  and  how  their  actions  can 
make  a  difference. 

5.  Leverage  a  broad  spectrum  of 
risk  management  talent.  Whether 
you  rely  on  your  internal  HR  staff  or 
partner  with  a  professional  recruiter, 
it  takes  significant  time  and  expertise 


to  attract  and  hire  the  right  privacy 
and  security  talent.  There  are  so  many 
roles  within  information  security  and 
privacy,  and  the  skill  sets  for  these 
positions  vary  by  industry,  corporate 
culture  and  the  maturity  of  security 
and  privacy  departments. 

To  effectively  reach  out  to  the  right 
candidates,  it’s  important  to  dedicate 
the  resources  needed  to  identify,  in¬ 
terview  and  hire  new  talent.  It’s  criti¬ 
cal  that  a  well-defined,  repeatable 
process  be  developed  for  interviews, 
along  with  a  timeline  for  meeting 
hiring  goals.  Often,  hiring  managers 
don’t  give  the  level  of  prioritization 
necessary  for  the  hiring  process  to  be 
successful.  This  can  result  in  even  the 
most  enthusiastic  candidates  losing 
interest.  The  acquisition  of  new  tal¬ 
ent  must  be  equal  to  or  higher  than 


other  key  objectives,  because  without 
human  capital,  it’s  impossible  to  ex¬ 
ecute  projects  and  initiatives. 

A  specialized  recruiter  will  bring 
fresh  perspective  and  expertise  to  an 
otherwise  daunting  task.  Whether 
helping  to  clarify  roles,  formulating 
job  descriptions,  giving  guidance  on 
the  available  talent  pool  or  identify¬ 
ing  and  delivering  top  professionals, 
a  reputable  recruiting  firm  can  help 
by  sharing  benchmarks  and  best 
practices  from  similar  corporations 
to  help  speed  the  company’s  trans¬ 
formation.  ■ 


Joyce  Brocaglia  is  the  CEO  of  Alta 
Associates  (www.altaassociates.com ), 
a  recruiting  firm  specializing  in  infor¬ 
mation  security,  IT  risk  management 
and  privacy. 


Strategic  Hiring  Mitigates  Risks 

As  professional  recruiters,  Alta  Associates  has  been  instrumental  in  help¬ 
ing  many  companies  bring  their  risk  management  initiatives  to  fruition.  In 
each  case,  strategic  talent  acquisition  was  the  key  to  success. 

For  example,  Alta  was  approached  by  a  global  financial  services  firm 
intent  on  developing  an  insider  threat  response  team  to  combat  identity 
theft,  organized  crime  attacks  and  employee  security  breaches.  The  assign¬ 
ment  was  to  build  the  organization  from  the  ground  up.  Within  a  month  of 
starting  the  search,  Alta  identified  two  emerging  experts  in  these  fields  and 
brought  them  on  board.  They  have  become  the  foundation  of  a  growing 
team  that  is  defining  ways  in  which  large  financial  services  firms  combat 
insider  threats,  fraud  and  organized  cybercrime. 

In  another  instance,  after  some  unfavorable  audit  findings,  a  large  re¬ 
gional  health  care  provider  network  approached  Alta  to  help  build  a  team 
to  address  the  gaps  in  its  risk  assessment  and  remediation  response  efforts. 
The  stakes  were  high,  not  only  from  a  regulatory  compliance  point  of  view, 
but  also  because  the  provider  was  vulnerable  to  outside  attacks.  In  two 
months,  Alta  hired  a  team  of  tactical  security  professionals  who  identified 
and  remediated  the  critical  risks  that  the  client  was  facing. 


CSOFOCUS  9 


TIMES  ARE 
CHANGING 

Step  Up  Your  Security  Game 


THE  THREAT  LANDSCAPE  IS  EVOLVING 


•  Criminals  are  casting  even  wider  nets  through  the  use  of  botnets.  In  2006, 
backdoors  were  the  most  active  type  of  malicious  software  detected,  with 
bots  the  most  active  within  the  group. 


•  Previously,  highly  complex  exploits  were  required  for  less  than  5%  of  vul¬ 
nerabilities  disclosed.  However,  the  trend  has  been  upwards  for  the  past 
few  years.  In  2006,  complex  to  exploit  vulnerabilities  jumped  to  more  than 
15%  of  the  yearly  total. 

•  Sophisticated  social  engineering  attacks  are  on  the  rise.  Rather  than  ex¬ 
ploiting  software  security  vulnerabilities,  these  attacks  exploit  trust  relation¬ 
ships  by  masquerading  as  a  known  business,  friend,  or  even  family  member. 


Complexity  of  Exploit 


"The  significant 
numbers  of  mass-mailed 
Trojans  detected  dem¬ 
onstrates  that  e-mail 
remains  an  effective 
vector  for  spreading 
malware  and  infecting 
computers  worldwide ." 


Data  derived  from  the  July-December  2006  Microsoft  Security  Intelligence  Report  (SIR).  The  Microsoft  SIR  provides  customers  and 
partners  with  a  comprehensive  understanding  of  the  types  of  threats  Windows  customers  face  today  so  they  can  take  appropriate 
action  to  help  ensure  they  are  better  protected.  The  report  highlights  trends  observed  over  the  past  several  years,  leveraging  data  col¬ 
lected  by  Microsoft  between  July  1  and  Dec.  31,  2006,  from  numerous  sources  including  Microsoft's  Malicious  Software  Removal  Tool 
(MSRT)  and  Windows  Defender.  The  full  report  is  available  at  http://go.microsoft.com/fwlink/?LinklD=88436&clcid=0x409. 


www.microsoft.com 


THREATS  TO  BUSINESSES  AND  CONSUMERS  CONTINUE  TO  EVOLVE 


•  Detections  of  Trojan  downloaders  and  drop¬ 
pers  increased  in  the  second  half  of  2006.  The 
continued  popularity  of  this  class  of  threats 
points  to  their  effective  role  as  'middleman'  - 
installing  malicious  software  on  the  system  and 
then  cleaning  up  the  tracks  in  order  to  avoid 
detection  and  hamper  forensics. 

•  Remote  control  and  monitoring  software 

both  show  increased  prevalence,  largely  due  to 
increased  criminal  use  in  order  to  commit  data 


theft  or  to  control  large  numbers  of  compro¬ 
mised  computer  systems. 

•  It  is  likely  that  applications  are  becoming  a 
more  attractive  target,  relative  to  operating 
systems.  Applications  continue  on  a  three-year 
trend  of  contributing  a  higher  percentage  of 
vulnerabilities  relative  to  the  total  number  of 
disclosures. 


Malware  Category  Breakdown:  July  1  -  Dec.  31,  2006 


■  Backdoor 

■  PWS  /  Key  logger 

■  Downloader  /  Dropper 

■  Trojan 

■  E-mail  Worm 

■  P2P  Worm 

■  Exploit 

■  IM  Worm 
Rootkit  Tool 

■  Virus 


THE  TIME  TO  TAKE  APPROPRIATE  ACTION 

TO  HELP  ENSURE  YOU  ARE  BETTER  PROTECTED  IS  NOW 

Maximize  the  efficiency  of  your  existing  security  infrastructure. 


1.  Implement  the  concept  of  least  privilege 
within  your  organization.  With  least  privi¬ 
lege,  even  if  malicious  or  potentially  unwanted 
software  is  executed  within  your  environment, 
it  is  limited  to  performing  non-administrative 
actions. 

2.  Filter  outgoing  network  traffic  to  help  reduce 
the  likelihood  that  an  attacker  could  leverage  a 
backdoor  Trojan  to  retrieve  sensitive  or  confi¬ 
dential  information  from  your  organization. 

3.  Use  an  application  management  system 

within  your  organization  to  help  control  the 
programs  that  end  users  can  run. 


4.  Educate  your  organization  about  malicious 
and  potentially  unwanted  software  such  as  the 
danger  of  social  engineering  threats  and  trends 
and  capabilities  of  malicious  software. 

5.  Consider  bolstering  existing  protection  with 
tools  that  are  available  at  no  charge  to  help  de¬ 
tect  and  remove  some  malicious  and  potentially 
unwanted  software. 

For  additional  ways  to  maximize  efficiency,  visit 
www.microsoft.  com/security. 


Microsof 


ADVERTISING  SUPPLEMENT 


Sun  Microsystems 

Strategies  for  Aligning 
mMm  v  nw  Systems  and  Policies  to 

J ^  XAr  Protect  Personal  Data 

and  Security 


With  so  much  personally  identifiable  information  (Pll)  cap¬ 
tured  and  stored  on  business  systems  today,  privacy  programs 
are  becoming  as  important  a  part  of  a  corporate  landscape  as  IT 
security.  Data  flowing  through  the  company  that  can  be  linked 
to  a  unique  individual — such  as  phone  numbers,  Social  Secu¬ 
rity  numbers,  frequent- flier  information  and  the  like — must 
be  closely  guarded  against  unauthorized  access  and  misuse  or 


negligence  to  avoid  regulatory  penal¬ 
ties.  Beyond  the  financial  risks  from 
loss  of  business,  recovery  costs,  fines 
or  lawsuits,  compromises  of  PII  can 
potentially  damage  the  company’s 
reputation  in  the  marketplace  and  the 
confidence  of  its  stockholders. 

Because  of  the  value  of  personal 
information  and  the  serious  risks  as¬ 
sociated  with  not  properly  protecting 
it,  many  companies  are  creating  a  new 
corporate  position,  chief  privacy  offi¬ 
cer  (CPO),  to  bring  clout  to  the  issue 
of  privacy.  The  CPO  works  in  tandem 
with  the  chief  information  officer 
(CIO)  and  the  chief  information  se¬ 
curity  officer  (CISO)  to  create  a  syn¬ 
ergy  between  privacy  policies  and  their 
related  requirements  for  IT  systems. 

“There’s  enormous  value  in  bridg¬ 
ing  the  gap  in  understanding  between 
the  CIO,  who  often  doesn’t  truly  com¬ 
prehend  the  difference  between  pri¬ 
vacy  and  security,  and  the  CPO,  who 


may  not  have  a  thorough  knowledge 
of  IT  systems  and  processes,”  says 
Michelle  Dennedy,  CPO  of  Sun  Mi¬ 
crosystems.  “Only  when  the  two  orga¬ 
nizations  combine  their  expertise  can 
the  company  successfully  guard  itself 
against  security  and  privacy  risks.” 

The  Value  of  Alignment 

Protecting  personal  data  within  busi¬ 
ness  processes  and  systems  requires 
strict  control  over  its  access,  distribution 
and  destruction  as  well  as  the  internal 
policies  that  govern  its  use  through¬ 
out  its  life  cycle.  By  closely  aligning 
the  CPO  and  CIO  organizations  and 
leveraging  each  other’s  knowledge  and 
expertise,  companies  not  only  improve 


business  processes  and  better  protect 

PII  but  also  achieve  a  host  of  other 

business  benefits,  such  as: 

■  Increased  control  over  data  access 
and  usage.  Greater  structure  and 
oversight  of  data  collection  and 
management  increase  the  value  of 
appropriately  using  data  through¬ 
out  its  life  cycle. 

■  Less  duplication  of  effort.  Stream¬ 
lining  overlapping  responsibilities 
in  areas  such  as  regulatory  compli¬ 
ance  and  protection  of  intellectual 
property  enables  CPOs  and  CIOs 
to  achieve  more  from  their  limited 
resources  and  to  reduce  their  oper¬ 
ating  costs. 

■  Lower  development  and  deploy¬ 
ment  costs  for  IT  systems.  Identi¬ 
fying  security  and  privacy  require¬ 
ments  up  front  avoids  last-minute 
changes  and  delivery  delays  or  the 
need  to  retrofit  an  IT  system  after  it 
is  in  production. 

■  More-efficient  processes.  Mapping 
data  required  for  tracking  and  pro¬ 
tecting  personal  information  can 
also  be  used  by  other  IT  processes 
such  as  change  control  and  problem 
resolution. 

■  Better  and  more  comprehensive 
decision-making.  When  the  CPO 
and  CIO  understand  each  other’s 


12  CSOFOCUS 


ADVERTISING  SUPPLEMENT 


perspective,  they  can  more  effec¬ 
tively  explore  and  balance  the  trade¬ 
offs  between  costs  and  methodol¬ 
ogy  to  achieve  their  desired  security 
and  privacy  goals. 

■  Reduced  risk  of  privacy  or  security 
breaches.  Joining  forces  promotes 
greater  awareness  of  security  and 
privacy  policies  throughout  the 
organization,  reducing  the  risk  of 
breaches  and  enabling  a  faster  re¬ 
covery  if  breaches  do  occur. 

Some  Best  Practices 

Although  there  are  several  ways  CPOs 
and  CIOs  can  improve  their  working 
relationship,  their  strategic  align¬ 
ment  needs  to  focus  on  more  than 
simply  protecting  PII  and  reducing 
risk.  Through  cooperation  and  col¬ 
laboration,  the  two  organizations  can 
build  better  value  for  stakeholders 
and  improve  operational  efficiencies 
throughout  the  company.  Here  are  a 
few  suggestions: 

■  Defining  roles  and  responsibilities. 

Cross-functional  understanding 
is  essential.  The  IT  staff  should  learn 
enough  about  privacy  policies  and 
goals  to  know  when  a  potential  pri¬ 
vacy  issue  occurs  and  whom  to  call 
to  check  it  out.  Similarly,  the  priva¬ 
cy  office  must  build  its  knowledge 
about  the  IT  infrastructure  and  pro¬ 
cesses  and  how  they  use  data.  This 
helps  reduce  the  disconnect  between 
policy  and  actual  implementation. 
It  also  reduces  security  and  privacy 
vulnerabilities  and  incidents. 

■  Defining  and  documenting  poli¬ 
cies,  processes  and  standards. 
Documenting  privacy  objectives, 
business  workflows  and  bench¬ 
marks  for  compliance  helps  IT 


developers  understand  privacy 
risks  and  requirements  for  data 
that  is  centrally  stored  and  data 
that  is  housed  on  mobile  devices. 
This  documentation  must  extend 
throughout  an  IT  project’s  life 
cycle — design,  development,  up¬ 
grade  and  retirement — to  ensure 
strict  adherence  to  company  poli¬ 
cies  regarding  privacy  protection 


For  more  information,  see 
the  'The  CIO  and  the  CPO— 

A  Vision  for  Teamwork  and 
Success"  and  "CPO— Now 
What?"  best  practices  white 
papers  at  www.sun.com. 

and  security.  Documentation  forces 
a  degree  of  clarity  that  enables  IT 
and  the  privacy  organization  to  de¬ 
vise  creative  solutions  to  business 
problems.  Using  the  documenta¬ 
tion  as  a  baseline  for  monitoring 
compliance  and  conducting  risk 
assessment  activities  also  reduces 
the  likelihood  of  breaches. 

■  Integrating  privacy  requirements 
with  existing  IT  methodology  and 
strategies.  Incorporating  privacy 
impact  assessments  into  existing 
IT  security  or  architecture  reviews 
minimizes  the  hurdles  in  the  devel¬ 
opment  cycle  and  enhances  project 
discipline.  CPOs  should  also  sit  in 
at  the  design  stage  to  ensure  that  the 
specifications  meet  both  the  func¬ 
tional  and  privacy  needs  of  business 
owners  and  users.  Combining  IT 
and  privacy  training  and  awareness 
efforts  saves  users  time,  ingrains 


privacy  policies  in  the  corporate 
culture,  spreads  development  costs 
across  organizations  and  educates 
stakeholders  on  subtle  differences 
between  privacy  and  security  prac¬ 
tices  and  priorities. 

■  Defining  global  policies  across 
geographies.  Much  like  an  architec¬ 
tural  plan  governs  physical  machines 
and  codes,  privacy  policies  should 
provide  a  workable  blueprint  with 
sufficient  flexibility  to  build  a  global 
framework  that  can  meet  diverse 
geographic  and  business  operations 
challenges.  CIOs  should  collaborate 
with  CPOs  to  define  global  policies 
that  are  realistic  to  implement  while 
still  meeting  most  regulations  in 
countries  of  operation  and  address¬ 
ing  data  that  crosses  international 
borders.  It  is  easier  to  communicate, 
monitor  and  enforce  a  single  privacy 
policy  framework,  which  lowers  the 
cost  of  global  implementation  and 
reduces  the  risk  of  noncompliance 
with  regulations. 

Long-Term  Benefits 

When  CPOs  and  CIOs  work  collab- 
oratively,  they  can  have  a  direct  im¬ 
pact  on  reducing  business  risks  and 
increasing  operational  efficiencies. 
Cross-training  between  security  and 
privacy  organizations  creates  a  com¬ 
mon  sense  of  purpose  and  leads  to 
more  creative,  cost-effective  ways  to 
protect  and  secure  personally  identifi¬ 
able  information. 

“Cooperation  between  the  two  or¬ 
ganizations  not  only  ensures  that  the 
needs  and  goals  of  both  groups  are 
met,”  says  Dennedy,  “but  also  ensures 
that  their  activities  serve  the  best  in¬ 
terests  of  the  company  as  whole.”  ■ 


CSO  FOCUS  13 


V 


Symantec 


ADVERTISING  SUPPLEMENT 


Incorporating  people,  process  and  technology 
into  the  IT  risk  management  strategy 


The  Secret  Weapon  for  Mitigating 


In  today's  interconnected  marketplace  and  global  economy, 

information  assets  are  at  greater  risk  than  ever,  as  incidents 
are  becoming  more  devastating  and  expensive.  With  organi¬ 
zations  growing  more  dependent  on  information  technology 
(IT)  systems  to  conduct  business,  mitigating  IT  risks  is  critical 
and  requires  an  effective  IT  risk  management  strategy  that  ad¬ 
dresses  people,  process  and  technology.  Whereas  organizations 


frequently  focus  on  mitigating  IT 
risks  by  investing  in  new  technologies, 
they  fail  to  leverage  the  most  critical 
asset:  people. 

IT  risk  management  is  a  practice 
for  balancing  the  costs  of  developing 
a  robust  and  secure  IT  infrastructure 
against  the  likelihood  of  an  incident 
and  potential  damage  to  the  organiza¬ 
tion  should  one  occur.  Generally,  IT 
risk  is  divided  into  four  categories: 

■  Security.  The  risk  that  internal  or 
external  threats  may  result  in  un¬ 
authorized  access  to  information. 

■  Availability.  The  risk  that  informa¬ 
tion  might  be  inaccessible  due  to 
unplanned  system  outages. 

■  Performance:  The  risk  that  in¬ 
formation  might  be  inaccessible 
due  to  scalability  limitations  or 
throughput  bottlenecks. 

■  Compliance-.  The  risk  of  violating 


regulatory  mandates  or  failing  to 
meet  internal  policy  requirements. 
With  corporate  IT-related  inci¬ 
dents  attracting  an  ever-increasing 
share  of  the  public’s  attention,  the 
need  for  more-effective  IT  risk  man¬ 
agement  strategies  is  evident.  The 
2007  Symantec  “IT  Risk  Management 
Report”  survey,  which  queried  more 
than  500  IT  executives  and  profes¬ 
sionals,  revealed  that  a  majority  of 
respondents  expect  to  be  affected  by 
some  type  of  security  or  compliance 
incident  in  the  next  one  to  five  years. 
Sixty  percent  of  respondents  expect  at 
least  one  major  IT  incident  that  could 


halt  or  disrupt  a  critical  part  of  their 
business  each  year. 

Incorporating  People 
into  a  Risk  Management 
Strategy 

The  effectiveness  of  even  the  best  tech¬ 
nology  and  processes  is  undermined 
if  employees  do  not  understand  both 
the  value  of  the  organization’s  infor¬ 
mation  assets  and  their  role  in  secur¬ 
ing  these  assets. 

Today  human  actions  account 
for  a  far  greater  degree  of  computer- 
related  loss  than  all  other  sources 
combined.  An  analysis  of  Symantec’s 
INFORM  risk  management  database 
revealed  that  respondents  most  often 
identify  drivers  related  to  people  and 
process  as  significant  sources  of  IT 
failures.  For  example,  60  percent  of 
respondents  identified  lack  of  proper 
architecture  expertise  and  53  percent 
identified  insufficient  training  in 
troubleshooting  and  resolution  as  a 
significant  source  of  IT  failure. 

Common  internal  causes  of  cor¬ 
porate  IT-related  incidents  include 
poor  password  protection,  failure  to 
update  protection  software,  failure  to 
scan  files  and  inappropriate  on-the- 


14  CS0F0CUS 


ADVERTISING  SUPPLEMENT 


job  Web  surfing  and  file  download¬ 
ing.  The  potential  impact  of  these 
incidents  leaves  the  infrastructure 
exposed  and  the  organization  vulner¬ 
able  to  exploitation,  attack  and  loss  of 
proprietary  information.  These  secu¬ 
rity  gaps  can  also  prompt  a  high  rate 
of  virus  infection  (and  reinfection), 
along  with  a  reduction  in  available 
network  bandwidth.  Ultimately,  all 
of  these  translate  into  loss  of  produc¬ 
tivity  due  to  downtime  and  increased 
costs  to  update  programs  and  replace 
lost  or  stolen  equipment. 

The  Value  of  IT  Training 

Management  personnel  with  security 
responsibilities  may  require  addition¬ 
al  training.  According  to  a  new  study 
conducted  by  IDC  and  sponsored 
by  Symantec,  well-trained  IT  staff 
members  spend  more  time  on  high- 
value  activities,  such  as  maintaining 
and  improving  operations,  and  less 
time  on  low-value  activities,  such  as 
deploying  solutions  or  fixing  technol¬ 
ogy  and  broken  processes,  than  do 
staff  members  who  have  less  training 
and  fewer  skills.  Compared  to  less- 
trained  organizations,  well-trained 
organizations  are  twice  as  likely  to 
have  PCs  properly  protected  from 
virus,  spyware  and  adware  attacks 
and  more  than  twice  as  likely  to  be  in 
compliance  with  legal  and  regulatory 
requirements  for  archiving  email  and 
other  content.  Well-trained  teams 
are  also  able  to  successfully  complete 
backup  jobs  without  failure  60  per¬ 
cent  more  often. 

When  designing  a  training  pro¬ 
gram,  IT  organizations  should  keep 
IT  risk  management  in  mind  and  fol¬ 
low  several  best  practices: 


■  Improve  incident  reporting  and 
handling 

■  Properly  classify  and  protect  intel¬ 
lectual  property 

■  Reduce  unsafe  communication 
channels,  such  as  instant  messaging 

■  Design  and  implement  secure  ap¬ 
plications  and  infrastructures 

■  Demonstrate  the  importance  of 
proper  backup  procedures 

■  Increase  awareness  of  common 
virus  and  Trojan  attack  vectors, 
such  as  email  attachments  and  file 
downloads 

■  Demonstrate  proper  use  of  net¬ 
work  assets,  such  as  not  watching 
online  videos  during  office  hours 

■  Increase  attention  to  system  per¬ 
formance  in  IT  systems  design 

■  Educate  application  architects  and 
developers  on  their  ability  to  have 
a  positive  impact  on  performance- 
related  issues  in  IT  systems 

■  Follow  internal  IT  safeguards  and 
business  policy  requirements  to 
help  comply  with  standards  such 
as  the  Federal  Information  Security 
Management  Act,  Health  Insur¬ 
ance  Portability  and  Accountabil¬ 
ity  Act,  Sarbanes- Oxley,  Control 
Objectives  for  Information  and 
Technology  and  ISO  17799:2000 

Employees'  Role  in 
Mitigating  Risk 

Contrary  to  popular  belief,  IT  depart¬ 
ments  should  not  shoulder  the  risk- 
management  responsibility  alone. 
Through  proper  training  and  educa¬ 
tion,  all  employees  can  help  mitigate 
IT  risks. 

Successfully  protecting  informa¬ 
tion  assets  requires  employees  at 
every  level  to  obtain  a  basic  under¬ 


standing  of  the  security  risks  and 
policies  and  know  their  responsi¬ 
bility  in  protecting  the  company’s 
assets.  Without  this  understanding, 
organizations  cannot  hold  employ¬ 
ees  accountable  for  protecting  the 
organization’s  resources. 

An  effective  security  awareness 
training  program  enables  organiza¬ 
tions  to  improve  their  security  pos¬ 
ture  by  offering  employees  at  every 
level  of  the  workforce  the  knowledge 
they  need  in  order  to  better  protect  the 
organization’s  information  through 
proactive,  security-conscious  behav¬ 
ior.  The  training  must  also  be  ongoing 
and  must  include  continuous  train¬ 
ing,  communication  and  reinforce¬ 
ment.  A  one-time  presentation  or  a 
static  set  of  activities  is  not  sufficient 
to  address  the  ever-evolving  threats  to 
the  security  landscape. 

The  more  businesses  view  em¬ 
ployees  as  an  asset  to  their  security 
posture — and  the  more  training  they 
provide  on  security  initiatives — the 
more  secure  their  data  and  informa¬ 
tion  will  become. 

The  time  has  passed  for  the  reac¬ 
tive  security  model,  where  security 
incidents  are  always  dealt  with  after 
the  fact.  Mitigating  IT  risk  requires 
a  proactive  approach  that  incorpo¬ 
rates  people  into  the  IT  risk  manage¬ 
ment  strategy.  In  the  long  term,  this 
is  the  only  way  to  reduce  the  associ¬ 
ated  costs  and  maintain  any  level  of 
security.  ■ 

Bob  Yang  is  director  of  Symantec 
Education  Services.  Symantec  deliv¬ 
ers  software  and  services  that  address 
infrastructure  security,  availability, 
compliance  and  performance  risks. 


CS0F0CUS  15 


www.AltaAssociates.com 


process 


We  get  people... 


we  know  who  they  are,  what  you  need  &  how  they  fit 


Human  Capital  is  your  greatest  asset  and 
potentially  your  greatest  risk.  Alta  Associates  is 
widely  acknowledged  as  the  leading  search  firm  in 
IT  Risk  Management,  Information  Security, 

Business  Resiliency  and  Privacy. 

With  our  extensive  network  of  contacts  and  deep 
industry  knowledge,  we  don't  just  fill  jobs,  we  find 
people  who  strengthen  your  organization.  Alta  has 
successfully  partnered  with  global  enterprises  for 
over  20  years  to  define  and  deliver  top  talent. 

No  other  search  firm  brings  the  same  value-added 
services  and  successful  track  record  to  the  table. 

When  it  comes  to  locating,  evaluating  and  hiring 
key  executives  and  their  staff,  don't  take 
unnecessary  risks.  Call  Alta  and  go  with  the  most 
trusted  name  in  the  business.  It's  the  choice  that 
will  set  you  apart. 


ATrusted  Advisor  In  Recruiting: 

•Technology  Risk  Management 

•  Information  Security 

•  Business  Resiliency 

•  IT  Compliance 

•  Privacy 


Contact  us  today,  call  (908)  806-8442 
or  visit  us  online  at  www.AltaAssociates.com 


f  »V 


»  &  u 


6th  Annual 


DIG  ITAL I D  WORLD 


IDENTITY  IS  CENTER 

September  24  -  26,  2007 
Hilton  San  Francisco 
San  Francisco,  CA 


Interact  with  peers  in  over  40  hours  of  in-depth  discussion  providing  you  with  perspective  and 
analysis  of  how  digital  identity  is  being  leveraged  to  help  integrate,  manage  and  secure  the  network. 
Sort  the  trends  and  discover  the  truth  about  what  works  and  what  doesn’t. 


Topics  to  include: 

Deploying  identity-based  network 
access  control 

Using  identity  to  achieve  compliance 

Authentication  as  risk  management 

How  identity  fits  into  SOA 

Understanding  OpenID  and  CardSpace 

Achieving  “anywhere  access”  with  E-SSO 

Understanding  successful  federated 
identity  deployments 


Role  Management  as  the  lynchpin  of 
scaling  identity 

Integrating  machine  identity  into  an 
identity  architecture 

Addressing  challenges  in  identity  and 
the  telco  space 

Overcoming  hurdles  specific  to  identity  and 
financial  services 

Using  identity  to  address  healthcare 
specific  concerns 


Register  now  for  the  6th  annual  Digital  ID  World  Conference  and  take  advantage  of  the  early 
registration  discount — reference  Priority  Code  AD  and  attend  the  conference  for  $995.  This  offer 
expires  September  14,  2007. 

Digital  ID  World.  Real  World  Deployments.  Real  World  Perspective. 

Visit  www.digitalidworld.com 
or  call  800-366-0246  to  register. 


Produced  in  conjunction  with: 


cso 


The  Resource  for 
Security  Executives 


Walk  away  with  more  information,  more  perspective  and  more  profiles  of  real 
world  deployments  by  those  who  did  them  than  at  any  other  conference! 


Secure  anytime,  anywhere  access.  When  it  comes  to  security,  most  businesses  understand  what  it  means 
to  fail.  But  few  can  imagine  what  it  would  mean  to  succeed.  RSA’s  information-centric  security  solutions 
can  move  your  business  forward.  That’s  why  we’re  the  chosen  security  partner  of  more  than  90  percent  of 
the  Fortune  500.  Don’t  just  secure  your  business.  Accelerate  it.  Learn  more  at  www.rsa.com/go/glide  The  Security  Division  of  EMC 

Secure  Anytime  Protect  Secure  Manage  Compliance 

Anywhere  Access  Customer  Identities  Enterprise  Data  and  Security  Information 

- ± -  I 

©2007  RSA  Security  Inc.  All  rights  reserved.  RSA  and  the  RSA  logo  are  either  registered  trademarks  or  trademarks  of  RSA  Security  Inc.  in  the  United  States  and/or  other  countries. 

All  other  products  and  services  mentioned  are  trademarks  of  their  respective  companies. 


“I  am  fearless. 


I  drive  security  strategy  for  a 
global  500  company. 

I  provide  secure  access  to  business 
resources  anytime,  anywhere. 

I  believe  security  should  connect 
people,  not  isolate  them. 

l  am  fearless.” 


csoletters@cxo.com 


Mob  Mentality 

HAVE  YOU  ever  experienced 
a  near  riot  or  stampede  at  a  huge 
venue?  Have  theme  parks  become 
k  §U  exempt  from  current  life  safety 
y  codes?  Why  aren’t  insurance 

rf  companies  requiring  theme  parks 

*  that  were  built  30  years  ago  to 

add  additional  exits  and  life  safety 
features  as  their  admissions  triple  and 
quadruple  beyond  capacity?  Scott  Beri- 
nato  addresses  some  of  these  questions  in 
‘Howto  Control  Crowds”  [May]. 

I  am  an  architect,  and  our  family  just 
returned  from  a  shocking  experience  at 
a  local  theme  park  this  past  weekend.  As 
these  crowds  slowly  push  forward  to  both 
get  into  the  parks  and  to  exit  the  parks, 

I  have  become  aware  that  any  sort  of 
disturbance  could  easily  trigger  a  catastro¬ 
phe.  Park  employees  seem  overwhelmed. 
Because  celebrities  and  top  brass  have 
private  access  to  the  parks,  it  is  conceiv¬ 
able  that  the  powers  in  charge  have  no 
idea  of  the  risks  that  are  being  taken  each 
and  every  night  at  many  theme  parks. 

Berinato  points  out  that  “facilities 
are  designed  to  maximize  profit  at  the 
expense  of  creating  safe  crowd  conditions.... 
They  don’t  design  for  the  safe  movement 
of  people....  They’ll  spend  years  studying 
design  and  structures  and  [only!]  spend  a 
couple  of  weeks  on  crowds.” 

Well,  I  want  to  thank  Scott  Berinato 
again  for  his  article,  and  I  also  want  you 
to  start  questioning  code  authorities  and 
insurance  companies  on  the  requirements 
for  theme  park  executives  to  provide 
accurate  admittance  numbers  that  meet 
life  safety  codes. 

ANONYMOUS 


Investigating  Forensics 

I  JUST  finished  reading  your  article 
‘The  Rise  of  Antiforensics”  [June]  and 
thought  it  was  an  excellent  piece.  I 
am  an  investigative  consultant  and  a 
regular  reader  of  CSOonline.com,  and  I 
thought  your  article  was  very  accurate 
in  describing  the  need  for  combining 
human/traditional  methods  of  investiga¬ 
tion  with  technological  tools. 

CHRIS  PIERRE 

Consultant 

Glencastle  Security  Inc. 


I  BELIEVE  the  entire  “antiforensics” 
panic  is  nothing  more  than  hype.  The 
science  is  there,  has  always  been  there  and 
will  keep  up  just  fine.  Digital  forensics  is 
not  the  first  choice,  nor  is  it  likely  to  be  so, 
so  long  as  we  have  good  courts.  It  should 
be  impossible  to  hinge  a  case  on  a  single 
bit  of  evidence  from  a  hard  drive  when 
any  expert  knows  how  easy  it  is  to  place 
that  one,  unique  bit  at  that  spot.  Instead  it 
hinges  on  reasonableness.  How  likely  is  it 
that  the  State  went  out  of  its  way  to  create 
false  forensic  trails  across  30  different 
computers  just  to  establish  one  case,  on 
top  of  the  physical  evidence  present  in 
such  a  case?  It’s  common  sense,  and  there 
is  no  need  to  panic. 

Finally,  regarding  Berinato’s  “deep 
research,”  I  don’t  see  any  such  reluctance 
or  weakness  manifesting  in  the  courts. 
Seems  more  like  a  case  of  grandstanding 
to  me. 

BRIAN  MARTIN 

Information  Security  Manager 

Large  healthcare  organization 


The  Security  Division  of  EMC 


We  want  to  hear  from  you 

TO  RESPOND  to  articles  you’ve  read  in 
CSO,  write  to  us  at  csoletters@cxo.com.  We 
welcome  your  thoughts  and  suggestions. 


©2007  RSA  Security  Inc.  All  rights  reserved.  RSA  and 
the  RSA  logo  are  either  registered  trademarks  or  trade¬ 
marks  of  RSA  Security  Inc.  in  the  United  States  and/or 
other  countries.  All  other  products  and  services  men¬ 
tioned  are  trademarks  of  their  respective  companies. 


September  2007  www.csoonline.com  11 


Secure  Anytime 
Anywhere  Access 


Today,  employees,  customers  .  '  ;  7 
and  partners  need  to  connect  to 
your  business  anytime  and  from  - 
anywhere.  At  the  same  time  you 
need  to  be  certain  that  only  trusted 
parties  gain  access  to  your  critical 
business  resources.  With  RSA’s 
security  solutions  your  users  enjoy 
the  right  access  to  the  right  resources 
at  the  right  time,  driving  efficiency 
and  enabling  collaboration. 


RSA  can  help  your  organization: 

•  Enable  remote  employees  to  be 
productive  anytime,  anywhere 

•  Extend  secure  online  customer 
self-service  channels  to  spark 
new  business  growth 

•  Foster  collaboration  with 
partners  and  suppliers  reducing 
costs,  broadening  distribution 
channels  and  increasing  sales 


Learn  to  fear  less  and  do  more 
Download  the 
Aberdeen  Group  report 
“Aligning  IT  to  the  Business,” 
and  other  information  at 
www.rsa.com/go/glide 


SECURITY  TRANSCENDS  TECHNOLOGY® 


CISSP 


CISSP 


Relax. 

You  just  hired  an  (ISC)2  infosecurity 
pro  who’s  not  only  going  to  make  your 

day,  but  your  career. 

Its  easy  to  kick  back  when  you’ve  got  the  worlds  best  information  security  employees  at  your 
command.  (ISC)2  credentials  are  the  Gold  Standard  of  the  industry.  When  you  see  (ISC)2  or  our 
globally  recognized  certifications  on  a  resume,  you  can  be  sure  that  you’re  getting  a  professional 
who  continually  updates  his  knowledge  to  keep  ahead  of  new  threats  to  your  organization  and 
most  importantly  has  solutions!  So  you  man  the  desk,  we’ll  get  the  job  done. 

For  more  information  on  (ISC)2’s  credential  and  educational  offerings,  please  visit  www.isc2.org/certify. 


*9  * 


A  O 

vT 

A  U. 

O 

'a  x 

V  *• 

-4 

CISSP" 

U)  K 

Ui 

•  o 

r" 

CAP" 

*  ° 

A 

•  > 

SSCP' 

ISO/IEC  17024 


Y  P ROfP 


0' 


^Ess,°^ 


f°  ISO/IEC  17024 


News,  Stats  and  Fast  Facts  Edited  by  Daintry  Duffy 


A  young  guerrilla  soldier 
stands  guard  during  the  rebel 
Sudan  Liberation  Army  (SLA) 
unity  conference  in  Haskanita, 
in  Sudan’s  eastern  Darfur 
province. 


Slow  Burn 

Washington  prepares  to 
take  on  climate  change  as  a 
national  security  threat 

GIiOBAIj  WARMING  The  issue  of 
climate  change  as  it  relates  to  national 
security  has  been  mentioned  in  security 
strategies  for  years,  but  it’s  never  received 
top  priority.  However,  recent  events  indicate 
that  change  is  on  the  horizon:  A  report 
authored  by  11  retired  military  generals 
(emphasizing  the  importance  of  integrat¬ 
ing  the  security  consequences  of  climate 
change  into  national  defense  strategies), 
new  legislation  in  the  House  and  Senate, 
and  an  approved  proposal  for  a  National 
Intelligence  Estimate  (NIE)  are  all  signs  that 
the  concern  is  gaining  traction. 

The  essence  of  the  issue  is  that  climate 
change  affects  the  stability  of  regions,  and 
unstable  regions  often  breed  global  threats. 
Kent  Butts,  director  of  national  security 
issues  at  the  U.S.  Army  War  College’s 
Center  for  Strategic  Leadership,  says  that 
climate  change  has  grabbed  the  attention 
of  military  leaders  over  the  past  couple  of 
years.  "The  scarcity  of  safe  water  is  a  major 
factor  in  regional  instability,”  says  Butts.  A 
government  that  can't  provide  for  the  needs 
of  its  people  loses  legitimacy  and  invites 
political  instability.”  Butts  says  that  could 
come  in  the  form  of  a  terrorist  group  claim¬ 
ing  to  provide  basic  needs  and  services  that 
the  existing  government  can’t  provide,  or  an 
extremist  political  party  trying  to  oust  more 
moderate  parties. 


For  that  reason,  Butts  says,  it’s  important 
for  CSOs  to  examine  potential  instabilities 
in  regions  where  their  companies  operate. 
"They  might  be  responsible  for  security  in  a 
region  directly  affected  by  drought,  flooding 
or  waterborne  diseases,”  he  says.  "Or  they 
might  be  affected  if  they  were  in  a  country 
dealing  with  increased  migration  by  refu¬ 
gees  fleeing  climate  change.” 

A  recent  op-ed  piece  in  the  San  Fran¬ 
cisco  Chronicle  by  Anna  Eshoo,  chairwoman 
of  the  House  Intelligence  Subcommittee 
on  Intelligence  Community  Management, 
echoes  Butts’s  claim.  “Land  loss  from 
rising  sea  levels  in  low-lying  Bangladesh 
could  increase  border  tensions  with  India  if 
millions  of  people  attempt  to  flee  to  higher 
ground,”  she  writes.  "Extended  drought 
has  been  cited  as  a  contributing  factor  to 
conflicts  in  Darfur  and  Somalia.  And  any 
combination  of  climate-related  stresses  can 
help  turn  a  fragile  state  into  a  failed  state, 
which,  we  all  learned  on  9/11,  can  become  a 
breeding  ground  for  terrorists." 


In  May,  the  charity  Christian  Aid  released 
a  report  predicting  that  climate  change 
will  displace  up  to  1  billion  people  by  the 
middle  of  the  century.  According  to  the 
report,  which  is  based  on  U.N.  population 
and  climate  change  figures,  as  more  people 
are  affected  by  water  shortages,  famine  and 
conflicts  (especially  in  the  Sahara  belt,  the 
Middle  East  and  South  Asia),  the  number 
of  refugees,  which  is  currently  estimated  at 
155  million,  is  expected  to  rise  considerably. 

Eshoo  and  Butts  both  say  the  NIE— an 
assessment,  supervised  by  the  National 
Intelligence  Council,  on  the  geopolitical  and 
security  implications  of  global  warming— is 
necessary.  Part  of  U.S.  counterterrorism 
strategy  is  to  address  underlying  issues 
that  terrorists  seek  to  exploit,  says  Butts. 

‘It’s  not  just  identifying  an  organization 
and  destroying  them.  Since  environmental 
issues  are  complicating  that  equation  and 
multiplying  existing  tensions,  it's  a  fair  topic 
to  be  addressed  by  the  intelligence  com¬ 
munity.”  -Katherine  Walsh 


PHOTO  BY  REUTERS/OPHEERA  MCDOOM 


September  2007  www.csoonline.com  13 


Briefing 


Brand  Aid 

Service  providers  vie 
to  scour  the  Web  and 
safeguard  your  brand 

CASE  STUDY  A  reputation  is  a  fragile 
thing— especially  on  the  Internet,  where  trade- 
marked  images  are  easily  borrowed,  corporate 
secrets  can  be  divulged  anonymously  in  chat 
rooms,  and  idle  speculation  and  malicious  com¬ 
mentary  on  a  blog  can  affect  a  company’s  stock 
price.  Brands  are  under  constant  attack,  but 
companies  such  as  BrandProtect,  MarkMonitor 
and  NameProtect  are  stepping  in  to  offer  compa¬ 
nies  some  artillery  in  the  fight  for  control  of  their 
brands  and  reputations. 

Brian  Maynard,  director  of  marketing  for 
KitchenAid,  a  division  of  Whirlpool,  had  a  rather 
unique  problem.  Like  the  classic  Coke  bottle  and 
Disney’s  Mickey  Mouse  ears,  the  silhouette  of  the 
KitchenAid  mixer,  that  colorful  and  distinctively 
rounded  wedding  registry  staple,  is  a  registered 
trademark.  KitchenAid  had  experienced  some 
problems  on  the  Web  with  knockoffs  and  unau¬ 
thorized  uses  of  the  mixer’s  image,  but  getting  a 
handle  on  the  many  and  varied  online  trademark 
infringements  seemed  daunting.  Maynard  knew 
that  historically,  corporate  brands  that  were  not 


well-protected  and  policed  by  their  owners  had 
been  ruled  generic  by  the  courts— aspirin  and 
escalator  are  two  examples.  So  when  he  received  a 
cold-call  from  BrandProtect,  he  was  intrigued. 

BrandProtect  uses  a  technology  platform 
that  functions  like  a  giant  spider,  mapping  the 
Web  and  identifying  what's  going  on  its  darkest 
recesses.  The  mapping  technology  is  combined 
with  a  filter  and  human  analysis  component  that 
identifies  and  returns  actionable  data  to  its  cli¬ 
ents  on  illicit  activities  that  may  adversely  affect 
their  corporate  identity.  Depending  on  the  client’s 
chosen  service  level,  those  activities  can  include 
any  of  22  categories  of  infractions— from  phishing 
to  counterfeiting,  misuse  of  corporate  logos  and 
trademarked  product  images,  domain  infractions 
and  employees  blogging  about  corporate  trade 
secrets.  Staying  ahead  of  the  many  ways  that  a 
company’s  brand  can  be  compromised  or  diluted 
online  is  a  challenge  that  Kevin  Joy,  vice  president 
of  marketing  for  BrandProtect,  compares  to  a 
never-ending  game  of  Whack-a-Mole. 

Clients  like  Maynard  receive  an  e-mailed 
report  every  Friday  that  outlines  any  activity 
BrandProtect  uncovered  that  week.  The  client 
then  decides  which  items  require  further  action. 
BrandProtect  also  sends  out  the  initial  cease- 
and-desist  letters.  Maynard’s  only  critique  of  his 
experience  with  BrandProtect  is  a  mild  one.  "I  feel 
like  we  sometimes  get  more  information  than  we 
have  the  capacity  to  deal  with  right  away,”  he  says. 
“A  report  will  come  in  with  400  items  when  some¬ 
body  in  my  group  could  only  get  to  20  in  a  week.” 

But  the  many  successes  have  made  the 
relationship  worthwhile.  Recently  Maynard  was 
impressed  by  how  quickly  he  was  able  to 
resolve  a  case  of  domain  infraction.  A  small 
vendor  that  works  with  KitchenAid  was  experi¬ 
menting  with  registering  URLs  such  as 
shopkitchenaid.com  and  buykitchenaid 
.com  for  marketing  purposes.  That  Fri¬ 
day  when  Maynard  received  his  report, 
he  noticed  the  new  URLs,  recognized 
the  name  of  the  owner  and  called  his 
contact  at  the  company  to  explain 
that  any  URLs  containing  the  name 
KitchenAid  had  to  be  owned  by  the  company. 
Maynard  says  his  contact  was  shocked  by 
how  quickly  KitchenAid  had  gotten  on  top  of 
the  issue.  -Daintry  Duffy 


Coming  Next 
Month:  Ram 
Charan  on 
Security 

RAM  CHARAN  knows  a 
bit  about  business  credibil¬ 
ity-after  all,  BusinessWeek 
recently  dubbed  Charan  “the 
most  influential  consultant 
alive.”  Charan  spoke  with 
Boston  Scientific  CSO  Lynn 
Mattice  and  CSO  Senior  Editor 
Sarah  D.  Scalet  about  the  pres¬ 
ent  and  future  role  of  security. 
You’ll  find  the  full  discussion  in 
next  month’s  issue,  but  here’s 
an  excerpt. 

Lynn  Mattice:  One  of  the 

[common]  failures  identi¬ 
fied  in  your  book  Execution 
resulted  from  the  inability  of 
individuals  within  an  organi¬ 
zation  to  envision  where  they 
need  to  go.  Security  depart¬ 
ments  have  been  trying  to 
evolve  away  from  the  “corpo¬ 
rate  cop”  image.  What  are  the 
expectations  from  the  execu¬ 
tive  suite  on  the  corporate 
security  function  today? 

Ram  Charan:  The  most  impor¬ 
tant  part  is  the  expectation 
about  the  reputation  of  the 
company.  How  does  lack  of 
security  help  or  hurt  the  repu¬ 
tation  of  the  company?  Repu¬ 
tational  risk  is  very  important 
to  companies  today,  so  the 

( Continued  on  next  page) 


14  www.csoonline.com 


September  2007 


PHOTO  TOP  8Y  JOHN  ABBOTT 


ONE  STEP  FORWARD. 
TWO  STEPS  FORWARD 


Security  can  no  longer  be  viewed  as  a  response  to  fear.  It  has  to  become  a 
catalyst  for  achievement.  One  that  enables  you  to  be  more  innovative,  competitive 
and  more  ambitious.  From  consulting  to  outsourcing  to  systems  integration, 
Unisys  Solutions  for  Secure  Business  Operations  empower  companies  to  leap 
without  ever  having  to  look  back. 


Security  unleashed. 


UNISYS 

Secure  Business  Operations,  ii 


007  Unisys  Corporation.  Unisys  is  a  registered  trademark  of  Unisys  Corporation. 


www.securityunleashed.com 


Briefing 


(Continued from  previous  page ) 
security  people,  in  addition  to 
compliance,  need  to  consider 
the  appropriate  focus  on  repu¬ 
tation.  That  should  be  a  part  of 
the  annual  report  to  the  board 
on  risk:  how  they  are  link¬ 
ing  with  the  reputational  risk 
assessment  and  what  they  are 
doing.  Very  clear,  very  simple, 
very  direct.  That’s  the  key. 

Mattice:  We’ve  seen  other 
organizations  throughout 
the  years  evolve  and  gain  a 
more  critical  position  within 
corporations,  elevating  up  the 
levels  of  corporation  to  join 
the  executive  suite.  We  have 
seen  this  happen  with  IT,  with 
audit,  and  in  the  old  days  with 
finance.  What  are  your  recom¬ 
mendations  on  how  security 
leaders  should  change  their 
focus  to  be  able  to  move  up  the 
ranks? 

Charan:  Security  people  have 
to  really  master  how  the  busi¬ 
ness  makes  money.  Move  the 
security  people  in  their  early 
careers  across  the  functions, 
then  bring  them  back.  If  you 
rotate  them  into  other  func¬ 
tions  and  they  succeed,  you 
make  a  broader  person,  and 
that  person  has  a  real  opportu¬ 
nity  to  move  up  the  ladder. 

CSO:  If  they  succeed  in 
another  function,  doesn’t  the 
security  department  run  the 
risk  of  losing  those  people? 

Charan:  That’s  a  good  idea. 

Lose  them.  You  would  create 
better  people.  It’s  a  very  nar¬ 
row  thinking  of  one  depart¬ 
ment  “losing”  a  person.  How 
many  CFOs  have  become 
CEOs?  Let’s  really  kill  that 
narrow  thinking.  ■ 


The  Unblinking  Eye 

NEW  TECHNOLOGY  IN  GREAT  BRITAIN  WILL  PUSH 
THE  LIMITS  OF  MODERN  SURVEILLANCE 


PRIVACY  No  country  has  employed 
visual  surveillance  as  aggressively  as  Great 
Britain.  Whether  for  traffic  management  or 
antiterrorism  efforts,  the  United  Kingdom  has 
put  cameras  everywhere.  Britain,  according 
to  one  CCTV  consulting  firm,  has  more  than  4 
million  cameras  deployed,  or  nearly  as  many 
as  the  rest  of  the  world  combined,  excluding 
the  United  States.  Now,  with  the  introduction 
of  The  Bug,  Great  Britain  has  fully  embraced 
its  role— for  better  or  worse— as  the  vanguard 
proponent  of  public  surveillance. 

The  Bug  is  a  cluster  of  eight  cameras  that 
can  scan  in  any  direction.  The  cameras  are 
"smart,"  meaning  they  employ  software  for 
advanced  functionality.  (For  more  on  video 
surveillance  analytics,  see  “Look  Smart,” 

Page  34.)  In  this  case,  the  software  uses 
algorithms  to  look  for  suspicious  behavior- 
sudden  running  or  wild  flailing,  for  example. 
The  Bug  can  identify  50  suspicious  traits.  It 
can  then  automatically  lock  on  to  a  subject 
and  follow  that  person  or  object.  The  Bug  also 
has  speakers,  so  someone  monitoring  can 
issue  instructions  or  warnings. 

The  Bug  has  been  in  testing  in  a 
borough  called  Luton,  about  30 
miles  northwest  of  London,  for 
more  than  18  months.  Exeter 
and  Chester  are  planning  to 
deploy  The  Bug  as  well. 

A  key  selling  point 
for  the  company  that 
makes  the  device 
is  that  it  provides 
unmanned  visual 
evidence  if  events 
come  to  trial.  The 
company  also 
says  the  software 
can  deem 
certain  areas 
off-limits  and 
unrecordable. 

But  privacy 
advocates 
believe  The 
Bug  is  a  fright¬ 


ening  encroachment  on  privacy,  eerily  similar 
to  technology  featured  prominently  in  George 
Orwell’s  seminal  book  1984.  In  that  book,  a 
remote  voice  from  a  loud  speaker  reminds 
Winston  Smith  to  perform  his  daily  exercises. 

In  a  story  in  London's  Sunday  Times, 
Privacy  International’s  noted  privacy  advo¬ 
cate  Simon  Davies  is  quoted  saying,  “I  made 
a  prediction  10  years  ago  that  if  we  were 
not  careful  there  would  be  no  escaping  the 
gaze  of  the  lens.  We  have  reached  that  stage.” 
In  that  same  story,  a  spokesman  for  the 
company  that  makes  the  $10,000  Bug  said 
the  device  isn’t  intrusive  even  if  it  picks  up 
an  innocent  person's  behavior,  because  "the 
innocent  have  nothing  to  fear.” 

Most  of  those  commenting  on  the  story  at 
the  Times  site  refuted  that  point,  noting  that 
the  cameras  remove  personal  choice  from  the 
privacy  equation  and  create  a  presumption  of 
guilt,  rather  than  the  traditional  civil  liberty  of 
innocence  until  proven  guilty. 

“Picking  up  on  facial  expressions  and 
body  language  to  prophesy  a  crime?  Hang 
on  a  minute— isn’t  that  another  name 
for  the  thought  police?"  asked  Chris  of 
London,  posting  on  the  story.  Mark 
Rotenberg,  executive  director  of 
the  Electronic  Privacy  Informa¬ 
tion  Center,  agrees.  "The  U.K. 
is  embracing  a  soft  totali¬ 
tarianism,"  he  says.  “There 
is  an  enormous  amount  of 
control  that  flows  from  the 
individual  to  the  govern¬ 
ment  when  there  is  this 
degree  of  surveil¬ 
lance.” 

Next  up  in  Great 
Britain:  drones,  toy 
plane-size  pilotless 
flying  machines 
with  cameras 
attached  that  can 
travel  at  50  mph 
and  zoom  in  on  a 
face  from  500  feet. 
-Scott  Berinato 


16  www.csoonline.com  September  2007 


PHOTO  BY  ISTOCKPHOTO 


ONE  AGE 


Contrary  to  the  impotent  baloney  from 
McAfee/Symantec/et  al,  it  doesn't  . 
take  weeks  and  an  army  of  servers 
to  secure  all  your  computers.  You  ' 
just  need  one  can  of  BIGFIX 
whup-ass. 

What  can  you  do  from  one 
console  with  a  single,  policy-driven 
BIGFIX  agent?  Flow  about 
continuously  discovering,  assessing, 
remediating,  optimizing  and  enforcing 
the  health/security  of  hundreds  of 
thousands  of  computers  in 
minutes?  Yup.  Minutes. 

Schedule  a  free  trial 
showing  how  fast  we 
empower  you  at 


or  call  51 0-652-6700 
xl  1 6.  We'll  also  send  you 
this  poster  of  BIGFIX's 
,"6:Y  cleanup  agent  doing  some 
...reconnaissance  in 
force. 

Windows,  Vista, 
Linux/Unix  and  Mac 
systems.  Nobody 
else  can  do  this. 
And  we’re  making 
sure  everyone 
else  is  more  than 
a  little 

'S 

embarrassed. 

Ooh-iah! 


Never  before  have  so  few  done  so  much,  so  fast,  for  so  many. 


©2007  BIGFIX.  BIGFIX  and  its  logo  are  registered  trademarks  of  BIGFIX,  Inc.  All  other  trademarks  are  acknowledged.  Illustration  by  Daryl  Mandryk. 


Hacktivism 
Rises  Anew  With 
New  Round  of 
Cyber  Sit-Ins 


Dan  Lohrmann,  Michigan’s  chief 
information  security  officer, 
found  out  about  the  cyber  sit-in 
from  a  reporter.  It  was  Tuesday, 

May  15,  2007,  and  a  group  calling 
itself  the  Electronic  Disturbance 
Theater  asked  Michigan  residents 
to  voice  their  opposition  to 
proposed  cuts  in  state  healthcare 
programs  by  targeting  the  Michigan 
.gov  website.  Over  the  next  two 
days,  participants  accessed  the 
group’s  website  and  downloaded 
a  small  browser  plug-in  that 
repeatedly  hit  Michigan.gov. 

Though  Electronic  Disturbance 
Theater  sees  its  actions  as  a 
mixture  of  performance  art  and 
civil  disobedience,  to  Lohrmann,  it 
looked  very  much  like  a  denial- 
of-service  attack.  “Had  a  million 
people  joined  in,  it  would  have 
been  interesting,”  says  Lohrmann. 


“Not  in  a  good  way.” 

To  Lohrmann’s  relief,  far  fewer 
than  1  million  people  hit  the 
Michigan.gov  site  on  the  day  of  the 
sit-in.  Web  counters  reported  a 
jump  of  several  hundred  thousand 
page  views— about  a  10  percent 


bump  in  traffic.  Cyber  sit-ins  came 
of  age  nearly  a  decade  ago,  but 
recently,  these  disruptions  have 
been  cropping  up  again. 

There  was  a  “sit-in  element” 
to  the  attacks  on  Estonia's  online 
infrastructure,  according  to  Jose 


Nazario,  senior  security  engineer 
at  Arbor  Networks.  Though  many 
of  these  attacks  were  conducted 
via  networks  of  hacked,  botnet 
computers,  the  attackers  also 
created  code  that  anybody  could 
download  to  voluntarily  turn  their 
PC  into  part  of  the  protest. 

Lohrmann  was  struck  by  the 
type  of  people  who  were  drawn  into 
the  Michigan  protest.  “This  was 
parents  working  with  bad  guys,” 
he  says. 

Unlike  DoS  attacks,  cyber 
sit-ins  do  not  really  have  to  disrupt 
service  to  be  effective,  says  Dorothy 
Denning,  professor  of  defense 
analysis  at  the  Naval  Postgraduate 
School  in  Monterey,  Calif.  Like  the 
sit-in  protests  of  the  1960s,  these 
actions  are  effective  whenever 
they  bring  publicity  to  a  particular 
cause.  “That’s  mostly  what  they  do,” 
she  says.  Electronic  Disturbance 
Theater  may  not  have  taken  down 
Michigan.gov  last  May,  but  the 
Michigan  press  and  this  magazine 
covered  the  cyber  sit-in,  Denning 
points  out.  “Obviously  they’re 
getting  a  little  publicity,”  she  says. 
And  that  may  just  be  enough  for  the 
activists.  -Robert  McMillan 


Five  Questions 
With  John  Clippinger 
on  the  Globaf  Impact 
of  User-Centric 
Security 

IDENTITY  MANAGEMENT 

In  A  Crowd  of  One:  The  Future  of  Individual 
Identity  (PublicAffairs,  April  2007),  John 
Clippinger  presents  a  historical  and 
sociological  case  that  our  ability  to  form 
trusted  relationships  is  critical  to  human 
evolutionary  success.  Through  his  work  as 
a  senior  fellow  for  Harvard  Law  School's 
Berkman  Center  for  Internet  and  Society, 
Clippinger  is  one  of  the  drivers  behind 
Project  Higgins,  an  initiative  to  develop 
user-centric  identity  management  software. 

CSO:  In  your  book  you  argue  that  identity 
management  will  revolve  around  end  users 
rather  than  corporations.  How  will  this 


affect  security  technology  development? 

John  Clippinger:  Security  will  play  a  key 
role.  It  will  be  appreciated  by  end  users  in 
order  to  build  trust  and  facilitate  commerce. 
[Technologies  like]  IBM  Id  Mixer  could  prove 
very  potent.  Security  of  exchange  for  federa¬ 
tion  and  aggregation  will  become  important. 

What  are  the  criteria  that  will  affect 
whether  society  successfully  transitions 
to  user-centric  identity? 

Privacy  and  civil  liberties  will  be  critical. 
Instead  of  an  ubersolution  and  single  identi¬ 
fier— a  national  ID  card  for  all  cases— there 
will  be  a  need  to  recognize  that  the  more 
open  and  distributed  the  identity  system, 
the  greater  the  prospect  for  trusted  collabo¬ 
ration  and  exchange.  Companies  will  need 
to  push  for  economic  and  civil  liberties. 

How  does  your  concept  of  user-centric 
identity  management  jibe  with  the  increas¬ 
ing  trend  toward  surveillance  security? 

There  is  a  huge  set  of  issues  here  that  need 


to  be  worked  out  at  the  national  policy  level. 

What  could  this  trend  mean  for  larger 
security  concerns  like  terrorism? 

If  there  is  another  significant  attack,  the 
reflex  will  be  to  clamp  down.  This  will  not 
create  a  more  secure  system  nor  be  an 
effective  deterrent.  But,  politics  will  prevail. 

You  write  that  2000  to  2025  is  a  tipping 
point  during  which  we  will  either  peacefully 
converge  or  devolve  into  chaos.  What’s 
your  current  prediction? 

It  is  a  race.  I  am  impressed  that  corpora¬ 
tions  such  as  Cisco,  GE,  Royal  Dutch  Shell, 
Fidelity  and  others  are  recognizing  the 
importance  of  new  corporate  structures  and 
the  triple  bottom  line  (profit,  environment, 
social).  But  the  environmental  and  security 
issues  are  more  rapidly  deteriorating  than 
I  thought.  Technological  change  could 
become  destabilizing.  On  a  global  basis 
we  will  need  to  get  a  lot  smarter  very  soon. 

-Daintry  Duffy 


18  www.csoonline.com  September  2007 


PHOTO  BY  KEVIN  FOWLER 


SecureW#rks 


The  next  attacl 

j  '  ivx. 

can  come  from 

‘  W  '  ‘Cfcv/;  .  *  %*'  raffll 

-  •  v  •*  TV,  Vy‘  •4' 

anywhere. 


Vigilance  requires  resources.  But  outsourcing 
security  should  do  more  than  lower  your 
costs.  It  should  lower  your  risk. 


SecureWorks  does  just  that.  Our  industry¬ 
leading  counter-threat  unit,  round-the-clock 
analysts,  and  state-of-the-art  threat  correlation 
platform  let  us  go  beyond  satisfying  your 
compliance  requirements  —  we  safeguard 
your  reputation. 


www.secureworks.com 


©2007  SecureWorks,  all  rights  reserved.  SecureWorks  and  the 
SecureWorks  logo  are  registered  trademarks  of  SecureWorks. 


Gozi  andMpack,  i frames ,  the  HangUp 
Team,  76Service— these  are  key  names 
in  the  evolution  of  modern  cybercrime, 
where  identity  theft  is  point-and-click. 
We  follow  security  researchers  behind 
the  curtain.  By  Scott  Berinato 


20  www.csoonline.com  September  2007 


n  2003,  online  banking  was  not  yet  ubiquitous,  but  everyone  could  see  that 
eventually  it  would  be.  Everyone  includes  Internet  criminals,  who  by  then 
had  already  built  software  capable  of  surreptitiously  grabbing  personal  infor¬ 
mation  from  online  forms,  like  the  ones  used  for  online  banking.  The 
Adam  of  these  so-called  form-grabbing  Trojans  was  called  Berbew. 


Berbew’s  creator  is  believed  to  be  a  VXer,  or  mal¬ 
ware  developer,  named  Smash,  who  rose  to  promi¬ 
nence  by  cofounding  the  IAACA— International 
Association  for  the  Advancement  of  Criminal  Activ¬ 
ity-after  the  feds  busted  up  ShadowCrew,  Smash’s 
previous  hacking  group. 

Berbew  was  wildly  effective.  Lance  James,  a 
researcher  with  Secure  Science  Corp.,  believes  it 
operated  undetected  for  as  long  as  nine  months  and 
grabbed  as  much  as  113GB  of  data— millions  of  per¬ 
sonal  credentials. 

Like  all  exploits,  Berbew  was  eventually  detected 
and  contained,  but  strands  of  Berbew’s  form-grab¬ 
bing  code  were  stitched  into  other  new  Trojans.  The 
process  is  not  unlike  horticulturists  grafting  pieces 
of  one  plant  onto  another  in  order  to  create  hardier 
mums. 

Thus,  Berbew  code  reappeared  in  the  Trojan 
A311-Death,  and,  in  turn,  A311-Death  begot  a  per¬ 
vasive  lineage  of  malware  called  the  Haxdoor  family, 
authored  by  Corpse,  who  many  believe  was  part  of 
a  well-known,  successful  hacking  group  called  the 
HangUp  Team,  based  in  the  port  city  of  Arkhangelsk, 
Russia,  near  the  Arctic  Circle. 

By  2006,  online  banking  was  ubiquitous,  and  form¬ 
grabbing  malware  had  been  refined  into  remarkably 
efficient,  multipurpose  bots.  Corpse  himself  was 
peddling  a  sophisticated  Haxdoor 
derivative  called  Nuclear  Grabber  for 
as  much  as  $3,200  per  copy.  Nordea 
Bank  in  Sweden  lost  8  million  kronor 
(more  than  $1  million)  because  of  it. 

But  by  last  October,  despite  his 
success,  Corpse  decided  that  it  was 
time  to  lay  low.  A  message  appeared  on  a  discussion 
board  at  Pinch3.net,  a  site  that  sold  yet  another  Hax¬ 
door  relative  called  pinch. 

The  message,  posted  in  Russian  by  “sash,”  quotes 
Corpse:  “I  declare  about  the  official  curtailment  of  my 
activity  of  that  connected  with  troyanami  [Trojans].” 

This  past  January,  a  reporter  for  Computer  Swe¬ 


den  chatted  with  Corpse,  pretending  to  be  a  potential 
customer.  Corpse  tried  to  sell  him  Nuclear  Grabber 
for  $3,000  and  crowed  that  banks  sweep  99  percent 
of  online  fraud  cases  under  the  rug.  After  Computer- 
world  Australia  published  the  chat,  Corpse  disap¬ 
peared. 

But  his  form-grabbing  code  resurfaced,  when  a 
friend  of  Don  Jackson  asked  Jackson  to  look  at  a  file 
he  found  on  his  computer.  That  file  ultimately  led  Jack- 
son  to  a  glimpse  behind  the  curtain  of  malware  and  a 
surprising  revelation  about  hacker  economics. 

January  ’07—  Discovery 

JACKSON  IS  a  security  researcher  for  Secure- 
Works,  one  of  dozens  of  boutique  security  firms  that 
have  emerged  to  deal  with  the  inherently  insecure, 
crime-ridden,  ungovernable  Internet.  Jackson’s  com¬ 
pany  and  others  like  it  usually  sell  security  products, 
but  their  real  value  is  in  the  research  they  do.  With 
law  enforcement  over-taxed  by  and  under-trained  for 
electronic  crime,  these  firms  have  become  a  primary 
source  of  intelligence  on  underground  Internet  activ¬ 
ity  and  VXers’  latest  innovations. 

The  expense  associated  with  the  hard-core  intel 
and  technically  arduous  research  is  more  than  paid 
for  by  its  value  as  a  marketing  tool.  Being  the  first  to 
market,  even  when  your  product  is  bad  news  about 
security,  wins  press  attention  and, 
ultimately,  customers.  So  security 
startups  stock  up  on  researchers 
like  Jackson  who  have  a  working,  or 
sometimes  intimate,  knowledge  of 
the  criminal  hacker  underground. 
All  day,  every  day,  security  research¬ 
ers  at  these  small  companies  are  dissecting  malware, 
chatting  with  bad  guys  and  poking  around  suspicious 
domains. 

Still,  neither  the  sheer  number  of  firms  and  jobs 
like  Jackson’s  created  in  the  past  five  years,  nor  the 
fact  that  larger  companies  like  BT,  IBM,  Symantec 
and  Verizon  are  acquiring  those  companies,  are  signs 


IN  THIS  STORY  The  service 
economy  behind  identity 
theft  Why  banks  lack  the 
incentive  to  fight  back 
How  iframes  work 


September  2007  www.csoonline.com 


21 


Information  Security 


that  the  good  guys  are  catching  up.  They’re  more  a  sign  of  how 
much  money  can  be  made  trying  to  catch  up. 

The  friend  who  asked  for  Jackson’s  help  was  a  victim— but  of 
what  he  wasn’t  sure.  All  he  could  say  was  that  several  of  his  online 
accounts  had  been  hijacked  and  that  a  scan  of  his  computer  turned 
up  a  conspicuous  executable,  or  .exe,  file  that  wasn’t  detected  as 
malware  but  wasn’t  recognized  as  legitimate  either. 

Jackson  discovered  that  the  file  had  been  on  the  system  for 
almost  a  month.  If  it  turned  out  to  be  something  new  and  mali¬ 
cious,  then  Jackson  had  discovered  a  zero-day  exploit.  It  would  be 
a  publicity  boon  for  Secure  Works. 

Jackson  downloaded  the  .exe  to  a  lab  computer.  “Generally, 
the  .exe  is  not  all  that  exciting  to  researchers  who  see  hundreds  of 
samples  each  month,”  he  says.  Jackson  found  that  it  was  a  deriva¬ 
tive  of  Corpse’s  Haxdoor  form  grabber,  just  a  new  cultivar  of  an 
old  species,  albeit  a  reasonably  well-crafted  one.  Like  several  form 
grabbers  before  it,  this  one  intercepted  form  data  before  it  was 
SSL-encrypted,  meaning  that  the  little  glowing  lock  in  the  corner 
of  the  browser,  the  one  that  online  merchants  will  tell  you  ensures 
you  that  you’re  on  a  safe  page,  meant  nothing  of  the  sort. 

Initially  Jackson  named  his  discovery  after  the  transliteration 
of  a  Russian  word  he  found  inside  the  source  code:  pesdato.  Later, 
he  learned  that  pesdato  is  a  sort  of  obscenity  in  Padonki,  which  is 
a  type  of  Russian  hacker  slang.  So  he  changed  the  name,  instead 
choosing  the  moniker  of  a  cartoon  character  that  he  had  made  up 
in  grade  school:  Gozi. 

The  process  of  fully  deconstructing  Gozi  took  Jackson  three 
days.  On  the  third  day,  as  he  pored  over  the  source  code,  Jackson 
noticed  that  the  sample  on  his  lab  computer  was  communicating 
with  an  IP  address  that  he  thought  was  owned  by  the  Russian 


taining  more  than  10,000  online  credentials  taken  from  5,200 
machines— a  stash  he  estimated  could  fetch  $2  million  on  the 
black  market.  He  called  the  FBI  as  he  prepared  to  go  undercover 
to  learn  more.  If  he  had  known  at  the  time  what  pesdato,  that 
Padonki  slang  word,  meant,  he  might  have  uttered  it  under  his 
breath  when  he  realized  what  he  had  stumbled  on  to. 

He  had  stumbled  on  to  the  next  phase  of  Internet  crime.  Gozi 
was  significant  not  because  the  Gozi  Trojan  was  innovative  or 
hard  to  detect— it  wasn’t.  It  was  in  many  ways  no  different  from 
its  4-year-old  ancestor  Berbew.  No,  Gozi  was  significant,  Jackson 
thought,  because  it  wasn’t  really  a  product  at  all.  It  was  a  service. 

The  Golden  Age 

GOZI  REPRESENTS  the  evolution  of  Internet  crime  to  a 
service-based  economy.  Electronic  crime  has  grown,  from  an  epi¬ 
sodic  problem,  like  bank  robberies  carried  out  by  small  gangs,  to 
a  chronic  one,  like  drug  trafficking  run  by  syndicates. 

Already  every  month,  James’s  company,  Secure  Science,  dis¬ 
covers  3  million  compromised  log-in  credentials— for  banks,  for 
online  e-mail  accounts,  anything  requiring  a  user  name  and  pass¬ 
word  on  the  Internet— and  intercepts  250,000  stolen  credit  card 
numbers.  On  an  average  week,  Secure  Science  monitors  30  to 
40GB  of  freshly  stolen  data,  “and  that’s  just  our  company,”  says 
James. 

Given  those  stats,  you  would  think  you’d  have  heard  more  about 
Gozi,  or  about  this  chronic  condition  in  general.  But  you  haven’t. 
Beyond  the  research  community,  Gozi  and  the  other  Trojans  steal¬ 
ing  all  this  data  have  been  largely  ignored.  A  half-dozen  CSOs  and 
CISOs  contacted  for  this  story,  including  some  representing  banks 
and  online  merchants,  had  either  never  heard  of  Gozi  or  vaguely 


What  he  found  stunned  him:  a  full-fledged 
e-commerce  operation.  It  was  slick 
and  accessible,  with  comprehensive  product 
offerings  and  a  strong  customer  focus. 


Business  Network.  RBN  is  a  notorious  service  provider  out  of  St. 
Petersburg,  Russia,  that  Jackson  and  others  say  has  a  reputation 
for  accommodating  spammers  and  other  malware  outfits.  Nor¬ 
mally,  Jackson  thought,  hots  would  be  stealthier  about  communi¬ 
cating  with  RBN.  Maybe  this  was  a  mistake.  Curious,  he  decided 
to  poke  his  head  in  and  look  around  on  the  RBN  server  that  Gozi 
was  talking  to. 

And  what  he  found  stunned  him:  a  full-fledged  e-commerce 
operation.  It  was  slick  and  accessible,  with  comprehensive  product 
offerings  and  a  strong  customer  focus.  Jackson  had  never  seen  any¬ 
thing  like  it.  So  business-like.  So  fully  conceived.  So  professional. 

It  was  early  February  by  the  time  he  found  a  3.3GB  file  con- 


recalled  the  name  and  not  much  else.  And  why  would  they?  Gozi 
had  its  15  minutes  of  fame  in  the  media,  reported  without  context, 
with  a  tally  of  the  known  damage,  like  a  traffic  accident.  And  yet, 
Gozi  wasn’t  that  at  all.  It  was  an  idea,  a  business  model. 

Even  after  it  fell  out  of  the  news,  and  despite  the  fact  that  Don 
Jackson  and  the  FBI  believed  they  knew  how  it  worked  and  who 
was  running  it,  the  Gozi  Trojan  continued  to  adapt  to  defenses, 
infect  machines  and  grab  personal  information. 

“Do  you  have  a  credit  card?  They’ve  got  it,”  states  another 
researcher  who  used  to  write  malware  for  a  hacking  group  and 
who  now  works  intelligence  on  the  Internet  underground.  He 
could  only  speak  anonymously  to  protect  his  cover.  “I’m  not  exag- 


22  www.csoonline.com  September  2007 


gerating.  Your  card  numbers  will  be  compromised  four  or  five 
times,  even  if  they’re  not  used  yet.” 

“I  take  for  granted  everything  I  do  on  the  Internet  is  public  and 
everything  in  my  wallet  is  owned,”  adds  Chris  Hoff,  security  strat¬ 
egist  at  Crossbeam  and  former  CISO  of  Westcorp,  a  $25  billion 
financial  services  company.  “But  what  do  I  do?  Do  I  pay  for  every¬ 
thing  in  cash  like  my  dad?  I  defy  you  to  do  that.  I  was  at  a  hotel 
recently  and  I  couldn’t  get 
a  bottle  of  water  without 
swiping  my  credit  card. 

And  I  was  thirsty!  What 
was  I  gonna  do?” 

That’s  the  thing  about 
this  wave  of  Internet  crime. 

Everyone  has  apparently 
decided  that  it’s  an  unavoid¬ 
able  cost  of  doing  business 
online,  a  risk  they’re  willing 
to  take,  and  that  whatever’s 
being  lost  to  crime  online  is 
acceptable  loss. 

Law  enforcement  lacks 
resources  and  jurisdiction. 

And  in  some  cases,  secu¬ 
rity  companies  are  literally 
shifting  their  strategies 
away  from  trying  to  secure 
machines  connected  to  the 
Internet;  they’re  giving  up 
because  they  don’t  believe 
it  can  be  done. 

It’s  a  conspiracy  of  apa¬ 
thy.  For  the  criminals,  this 
is  great  news.  They  stand 
blinking  into  the  dawn  of  a  golden  age  of  criminal  enterprise. 
They’ll  use  malicious  code  to  run  syndicates  that  will  be  both  less 
violent  and  more  scalable  than  in  the  past. 

Now  is  the  criminal  hacker’s  time.  In  Arkhangelsk,  Russia,  it  is 
the  HangUp  Team’s  time. 

February— Access 

THESE  RVI C  E  Jackson  found  when  he  followed  Gozi  back  to  the 
RBN  server  was  called  76Service.com.  The  homepage  was  pretty 
and  simple,  just  a  stylized  log-in  box  with  a  subtitle:  Winter  Edi¬ 
tion.  But  how  this  service  worked  wasn’t  yet  clear,  so  Jackson  went 
undercover.  On  carders  forums,  the  online  hangouts  for  people 
who  run  credit  card  rackets,  he  found  some  members  who  knew 
about  Gozi  and  76Service.  He  recognized  their  avatars— online 
personas  usually  marked  by  a  picture  that  gets  posted  with  their 
comments  on  discussion  boards— as  ones  that  belonged  to  mem¬ 
bers  of  the  HangUp  Team.  “It  confirmed  to  me  they  were  involved,” 
Jackson  says,  “but  how  still  wasn’t  clear.  For  all  I  knew,  they  just 


sold  the  bot  to  someone.” 

In  response  to  requests  Jackson  posted,  one  of  these  HangUp 
Team  members  e-mailed  him  at  an  anonymous  safe-mail.com 
account.  The  e-mail  told  Jackson  to  log  on  to  a  specific  Internet 
chat  room  with  a  specific  name  at  a  specific  time.  Jackson,  using 
a  machine  configured  to  hide  its  location,  did  so. 

The  room  was  virtually  crowded.  “I  get  there,  and  there’s  lots  of 

conversation.  Lots  of  Rus¬ 
sian  that’s  flying  by  me,” 
Jackson  says.  Everyone 
spoke  freely.  Jackson  did 
not  sense  any  fear  of  law 
enforcement,  or  curious 
researchers,  snooping.  In 
fact,  Jackson  thinks  that  a 
kind  of  bidding  was  taking 
place.  The  channel  moder¬ 
ator  was  offering  preview 
accounts  to  76Service 
such  that  the  users  could 
tour  the  site.  The  hope  was 
they’d  come  back  saying 
pesdato!  and  offer  a  good 
price  for  access. 

Jackson  asked  if  he 
could  take  a  test  run  too. 
If  he  seemed  nervous 
and  unpracticed  about 
doing  business  here,  it 
was  because  he  was.  “The 
moderator  says,  ‘You  don’t 
speak  Russian.  Where  are 
you  from?’  I  say,  ‘The  U.K.’ 
He  says,  ‘Only  people  we 
know  get  test  runs.’”  A  few  others  derided  Jackson  for  his  igno¬ 
rance  and,  in  so  many  words,  told  him  to  go  away. 

Plan  B:  Jackson  called  on  a  friend  who  followed  the  HangUp 
Team  closely,  almost  the  way  a  CIA  analyst  builds  up  expertise.  It 
was  a  stab  in  the  dark,  but  remarkably  it  worked.  A  colleague  knew 
about  76Service,  which  he  said  had  been  online  for  several  months, 
and  he  lent  Jackson  log-in  credentials. 

The  76Service  Business  Model 

WHEN  JACKSON  logged  in,  the  genius  of  76Service  became 
immediately  clear.  76Service  customers  weren’t  paying  for  already- 
stolen  credentials.  Instead,  76Service  sold  subscriptions  or  “proj¬ 
ects”  to  Gozi-infected  machines.  Usually,  projects  were  sold  in 
30-day  increments  because  that’s  a  billing  cycle,  enough  time  to 
guarantee  that  the  person  who  owns  the  machine  with  Gozi  on 
it  will  have  logged  in  to  manage  his  finances  or  otherwise  expose 
data  to  the  form  grabber. 

76Service  subscribers  could  log  in  with  their  assigned  user 


ILLUSTRATION  BY  DANIEL  BEJAR 


September  2007  www.csoonline.com  23 


Information  Security 


A 

Malware 

Glossary 

Baffled  by  bots?  Vexed  by  variants? 

Some  nontechnical  definitions  of  players 
and  common  terms  found  in  this  siory 
and  in  the  malware  world  in  general. 


Bot:  A  computer  controlled 
by  a  remote  attacker. 

Also  used  to  refer  to  the 
malware  itself,  which 
allows  that  control. 

Carder:  Someone  who 
trades  in  stolen  credit  card 
and  cardholder  data. 
Downloader:  A  small  piece 
of  code,  usually  a  single 
instruction,  used  to  silently 
fetch  a  malicious  file  from 
an  attacker’s  server. 

Drop:  A  clandestine 
computer  or  service  (such 
as  an  e-mail  account)  that 
collects  data  stolen  by  a 


Trojan. 

Dump:  As  a  noun,  used 
interchangeably  with 
drop.  As  a  verb  it  means 
to  transfer  data  onto  a 
machine  for  analysis,  or 
to  discard  an  .exe  after 
reverse  engineering. 

.exe:  A  Windows  executable 
program.  In  a  malware 
attack,  the  “.exe”  refers  to 
the  malicious  program  that 
infects  the  victim's  PC. 
Exploit:  Code  used 
to  take  advantage  of 
vulnerabilities  in  software 
code  and  configuration, 


usually  to  install  malware. 
Form  grabber:  A  program 
that  steals  information 
submitted  by  a  user  to 
a  website.  (Originally, 
forms  were  the  only  way 
to  submit  user  input  to  a 
Web  server,  but  now  the 
meaning  has  changed 
to  encompass  any  HTTP 
communication  using  a 
POST  request.) 

Gozi:  One  of  a  family  of 
Trojans  written  by  Russians 
known  as  the  HangUp 
Team,  used  in  a  string  of 
attacks  orchestrated  by  a 


name  and  password  any  time  during  the 
30-day  project.  They’d  be  met  with  a  screen 
that  told  them  which  of  their  bots  were  cur¬ 
rently  active  and  offered  a  sidebar  of  man¬ 
agement  options.  For  example,  they  could 
pull  down  the  latest  drops— data  deposits 
that  the  Gozi-infected  machines  they  sub¬ 
scribed  to  sent  to  the  servers. 

A  project  was  like  an  investment  port¬ 
folio.  Individual  Gozi-infected  machines 
were  like  stocks,  and  subscribers  bought 
a  group  of  them,  betting  they  could  gain 
enough  personal  information  from  their 
portfolio  of  infected  machines  to  make  a 
profit,  mostly  by  turning  around  and  sell¬ 
ing  credentials  on  the  black  market.  In 
some  cases,  subscribers  would  use  a  few  of 
the  credentials  themselves. 

Some  machines,  like  some  stocks,  would 
under-perform  and  provide  little  private 
information.  But  others  would  land  the 
subscriber  a  windfall  of  private  data.  The 
point  was  to  subscribe  to  several  infected 
machines  to  balance  that  risk,  the  way  Wall 
Street  fund  managers  invest  in  many  stocks 
to  offset  losses  in  one  company  with  gains 
in  another. 

Grabbing  forms  provides  several  advan¬ 
tages  to  both  buyer  and  seller  compared 
with  the  old  model  of  pulling  account 
numbers  out  of  databases.  For  the  seller, 
it’s  safer.  He  becomes  a  broker,  a  middle¬ 
man.  He  barely  handles  stolen  data.  For 
the  buyer,  it’s  the  added  value  of  an  iden¬ 
tity  compared  with  a  mere  credential.  For  example,  a  credit  card 
number  alone  might  be  worth  $5,  but  add  the  three-  or  four-digit 
security  code  associated  with  that  card  and  the  value  triples.  Add 
billing  address,  phone  number,  cardholder  name  and  so  forth 
and  the  value  of  the  record  can  reach  into  the  hundreds  of  dollars, 
because  the  buyer  can  use  this  information  to  create  and  exploit 
new  lines  of  fraudulent  credit. 

If  you  can  grab  the  primary  and  secondary  authentication 
forms  used  for  financial  services  log-in,  you’ve  hit  the  jackpot:  a 
real  person’s  full  financial  identity.  Everything  that  person  had 
entered  into  forms  online  would  create  an  avatar  that  could  be 
used  in  the  real  world  to  buy  goods,  apply  for  credit  and  passports, 
buy  cell  phones,  open  new  bank  accounts  and  manipulate  old  ones. 
A  dossier  like  that  would  be  one  of  the  most  valuable  commodities 
available  on  the  information  black  market. 

That’s  why  the  subscription  prices  on  76Service  were  steep. 
“Prices  started  at  $1,000  per  machine  per  project,”  says  Jackson. 
Even  so,  the  buyers  evidently  were  confident  in  their  ability  to 


turn  a  profit.  With  some  tinkering  and  thanks  to  some  loose  data¬ 
base  configuration,  Jackson  gained  a  view  into  other  subscribers’ 
accounts.  He  mostly  saw  subscriptions  that  bought  access  to  only 
a  handful  of  machines,  rarely  more  than  a  dozen. 

The  $1K  figure  was  for  “fresh  bots”— new  infections  that  hadn’t 
been  part  of  a  project  yet.  Used  bots  that  were  coming  off  an  expired 
project  were  available,  but  worth  less  (and  thus,  cost  less)  because 
of  the  increased  likelihood  that  personal  information  gained  from 
that  machine  had  already  been  sold.  Customers  were  urged  to  act 
quickly  to  get  the  freshest  bots  available. 

This  was  another  advantage  for  the  seller.  Providing  the  self- 
service  interface  freed  up  the  sellers  to  create  ancillary  services. 
76Service  was  extremely  customer-focused.  “They  were  there  to 
give  you  services  that  made  it  a  good  experience,”  Jackson  says.  You 
want  us  to  clean  up  the  reports  for  you?  Sure,  for  a  small  fee.  You 
want  a  report  on  all  the  credentials  from  one  bank  in  your  drop? 
Hundred  bucks,  please.  For  another  $150  a  month,  we’ll  create 
secure  remote  drops  for  you.  Alternative  packaging  and  delivery 


24  www.csoonline.com  September  2007 


group  known  as  76Service. 
Iframe:  A  special 
tag  used  to  load  one 
webpage  into  a  part  of 
another  webpage.  Used 
by  attackers  ("iframers") 
to  load  malicious  code, 
often  JavaScript,  onto  an 
otherwise  trusted  page. 
Keylogger:  A  program  that 
logs  user  input  from  the 
keyboard,  usually  without 
the  user’s  knowledge  or 
permission. 

Mpack:  A  malware  variant 
containing  perhaps  a 
dozen  exploits,  increasing 
the  likelihood  of  infecting 
any  particular  computer. 
Packer:  A  tool  used  to 
compress  and  scramble 
an  .exe  file.  Used  to  hide 
the  malicious  nature 
of  malware  and  thwart 
analysis  by  researchers. 
Padonki:  A  kind  of  Russian 
hacker  slang  in  which 
words,  often  obscene 
ones,  are  purposefully 
misspelled  or  bastardized. 
RAT:  Remote  Access 


options?  We  can  do  that.  Nickel  and  dime.  Nickel  and  dime. 

March— Temporary  Containment 

JACKSON  WAS  focused  on  his  technical  analysis,  but  he  con¬ 
tinued  correspondence  with  the  source  who  gave  him  access  to 
76Service.com.  After  several  e-mail  exchanges  with  Jackson,  the 
source  decided  that  he  could  trust  him  enough  to  share  what  he 
knew  about  the  people  behind  76Service.  He  told  Jackson  that  the 
operation  was  run  by  just  two  people,  known  as  76  and  Exoric.  76 
was  in  Russia.  Exoric  seemed  to  be  based  out  of  Mexico. 

7 6  was  a  former  member  of  the  HangUp  Team  who  broke  off  to 
launch  this  service.  He  probably  bought  the  Haxdoor  form-grab¬ 
bing  code  grafted  onto  Gozi  from  his  old  crew.  He  might  have 
traded  for  it.  He  also  probably  had  a  relationship  with  the  RBN 
from  his  HangUp  Team  days.  The  lack  of  manpower  beyond  the 
two  of  them  might  also  explain  some  of  the  mistakes  76Service 
made,  such  as  the  direct  connection  to  RBN  servers  and  the  site 
configuration  that  allowed  Jackson  to  view  other  people’s  projects. 


It  appears  76  recruited  Exoric  for  his  server- 
side  knowledge,  whereas  76  was  coding  the 
actual  Trojan. 

Jackson  was  sharing  all  of  this  infor¬ 
mation  with  a  field  agent  from  the  local 
FBI  office,  who  sent  it  up  to  agents  in  D.C., 
who  in  turn  coordinated  with  Russian 
authorities  on  an  investigation,  according 
to  Jackson.  (The  FBI  has  refused  to  com¬ 
ment  specifically  on  the  case.)  Meanwhile 
Jackson  contacted  InfraGuard,  which  in 
turn  shared  his  findings  with  financial 
institutions.  Jackson  wrote  an  exhaustive 
technical  report  ( www.secureworks.com/ 
re  sea  rch/th  rea  ts/gozi )  that  covered  both 
how  Gozi  worked  and  how  the  service  did 
too.  After  he  published  it,  and  his  PR  team 
spread  the  word,  the  press  pounced:  “Gozi 
Trojan  Leads  to  Russian  Data  Hoard.” 

Gozi  had  been  known  to  be  in  the  wild 
for  at  least  three  months.  But  Jackson  also 
believed  that  the  Winter  Edition  of  76Ser- 
vice  was  by  no  means  the  first  edition.  He 
suspected  that  76Service  had  been  operat¬ 
ing  undetected  for  perhaps  as  long  as  nine 
months. 

But  by  mid-March,  the  good  guys 
seemed  to  be  getting  ahead  of  it.  Antivirus 
and  antispyware  vendors  were  adding  Gozi 
signatures  to  their  products  to  detect  the 
hot.  76Service  servers  had  been  sent  on 
the  run  as  the  FBI  and  ISPs  detected  and 
blocked  the  IP  addresses  that  Gozi  con¬ 
nected  to,  forcing  76  and  Exoric  to  move 
the  site  constantly.  Around  March  12,  the  loose  coalition  of  FBI, 
researchers,  ISPs  and  others  finally  seemed  to  get  the  76 Service 
shut  down. 

This  spurred  a  fire  sale  of  whatever  data  had  been  left  unsold 
at  76Service.  Jackson  says  that  after  March  12,  some  banks  saw 
hundreds  of  accounts  opened  each  day  that  were  traced  back  to 
Gozi-grabbed  data.  Some  of  those  account  holders  managed  to 
make  several  cash  transfers  up  to  $49,000.  “They’re  playing  with 
limits  on  fraud,”  says  Jackson.  That  is,  they  know  the  banks  won’t 
flag  five  transfers  under  $50  grand,  but  will  flag  one  $250,000 
transfer.  Jackson  says  many  of  these  transfers  were  wired  to,  of  all 
places,  Belgium,  though  he  didn’t  know  if  anyone  had  been  caught 
picking  up  the  cash  there.  Some  other  accounts  were  detected  and 
blocked  from  activity  before  transfers  were  made.  Jackson  says  the 
U.S.  Secret  Service  was  briefed.  (The  Secret  Service  declined  to 
comment.)  Gozi  and  76Service  finally  seemed  to  be  contained. 

But  it  hardly  mattered.  By  this  time,  another  form-grabbing 
Trojan  had  been  discovered. 


Trojan,  malware  that  allows 
attackers  (also  known  as 
RATs)  to  remotely  control 
an  infected  PC  or  bot. 

RBN:  The  Russian 
Business  Network.  An 
infamous  ISP  used  by 
primarily  Russian  malware 
groups  to  host  malware 
and  drops.  The  ISP  is 
reportedly  run  out  of 
Panama  and  owned  by  a 
company  operating  from 
the  islands  of  Seychelles, 
off  the  eastern  coast  of 
Africa.  Variously  described 
as  “opaque,”  "dubious" 
and  “shady.” 

Redirect:  A  feature  of  HTTP 
used  to  automatically 
forward  someone  from 
one  website  to  another. 

In  the  case  of  malware, 
redirects  are  done  invisibly, 
sometimes  inside  iframes. 
Rootkit:  Code  that  plugs 
in  to  and  changes  the 
low-level  functions  of  an 
operating  system.  Used 
by  malware  to  hide  itself 
from  users  and  even  the 


operating  system  itself. 
Torpig:  A  relatively 
new  family  of  Trojans 
representing  the  latest 
in  malware  capabilities, 
including  the  ability  to  hide 
itself  and  provide  backdoor 
access  for  installing  other 
configurations,  components 
or  even  other  Trojans. 
Trojan:  A  program 
that  attempts  to  hide 
its  malicious  code  by 
masquerading  as  an 
innocuous  program 
(often  through  the  use 
of  a  packer). 

Variant:  Malware  that  is 
produced  from  the  same 
code  base  (or  “family") 
as  a  previous  version  but 
is  different  enough  to 
require  new  signatures  for 
detection  by  antivirus  and 
anti-malware  products. 
VXer:  Originally,  a  virus 
writer.  Now  refers  to 
anyone  involved  in  the 
production  or  use  of 
malware. 

SOURCES:  SECUREWORKS,  CSO  REPORTING 


September  2007  www.csoonline.com  25 


Information  Security 


This  one  was  called  Torpig.  Its  technical  architecture  and  its 
service  were  nearly  identical  to  Gozi  and  76Service,  including  links 
to  RBN  servers.  But  Torpig  was  engineered  to  target  bank  forms 
specifically— excluding  less  valuable  credentials  like  e-mail  log¬ 
ins  or  log-ins  for  newspaper  sites.  Torpig  shipped  with  a  database 
of  financial  websites’  URLs,  and  when  it  recognized  one  of  these 
URLs  in  the  browser’s  address  bar,  it  woke  up  and  added  a  redirect 
command  to  the  URL. 

Jackson  says  that  intelligence  suggested  that  the  criminals  had 
set  up  real  accounts  at  the  banks  on  Torpig’s  hit  list  and  then  cap¬ 
tured  their  own  legitimate  transaction  traffic  to  see  what  “nor¬ 
mal”  transactions  looked  like  at  each  bank.  This  way,  they  could 
tailor  each  banks’  redirect  command  to  mimic  a  normal  transac¬ 
tion,  so  that  filters  wouldn’t  register  anomalous  activity.  Jackson 
calls  it  “Gozi  on  steroids.”  It  has  proven  much  more  problematic 
to  researchers,  banks  and  law  enforcement.  Shutting  it  down  has 
been  far  more  difficult  than  taking  out  Gozi,  too,  because  Torpig 
communicates  with  a  network  of  servers.  Gozi  had  connected  only 
to  the  one  RBN  server. 

Then,  on  March  21,  76Service  was  discovered  back  online,  run¬ 
ning  off  a  new  server  in  Hong  Kong.  By  March  27,  Jackson  had 
confirmed  that  it  used  a  new  variant  of  Gozi,  undetected  by  filters. 
It  was  the  Spring  Edition. 

Distributed  Pain/Concentrated  Gain 

THE  HANGUP  Team’s  online  art  gallery  is  populated  with  a 
disturbing  mishmash  of  images  and  messages  like  “Fraud  4ever” 
and  “In  Fraud  We  Trust.”  (One  picture,  for  example,  combines  an 
image  of  Hitler,  a  cannabis  leaf  and  the  head  of  Eugene  Kaspersky, 
who  owns  a  Russian-based  antivirus  company,  on  a  platter.)  And 
yes,  pictures  of  its  members  often  include  what  have  come  to  be 
hackneyed  criminal  hacker  cliches— members  posing  with  their 
cash,  for  example. 

But  do  not  mistake  this  culture  for  incompetence.  HangUp 
Team  is  one  of  a  number  of  highly  successful  businesses  that  some 
researchers  claim  earn  their  members  millions  of  dollars  per  month. 
“As  a  security  professional,  you  don’t  want  to  say  you’re  impressed 
by  them,”  says  “John,”  the  security  professional  at  a  large  bank 
who  agreed  to  talk  only  if  he  could  remain  anonymous,  because 
he  didn’t  have  permission  from  his  bank  to  speak.  “But  they’re  bet¬ 
ter  run  and  managed  than  many  organizations.  They’re  properly 
funded,  they  have  a  clear  goal,  they’re  performance-driven,  focused 
on  a  single  mission.  It’s  like  an  MBA  case  study  of  success.” 

There  are  two  key  tenets  underscoring  that  success:  distributed 
pain  with  concentrated  gain,  and  distributed  risk. 

The  more  important  of  these  is  distributed  pain  with  concen¬ 
trated  gain.  The  massive  size  of  the  market  that  Internet  criminals 
prey  on  allows  them  to  spread  losses  across  hundreds  or  thousands 
of  victims.  “If  you  take  $10  off  of 10,000  credit  cards,  you’ve  made 
$100,000  that  no  one  victim  either  recognized  or  felt  enough  to 
care,”  says  Jim  Maloney,  a  former  CSO  at  Amazon.com  who  now 
runs  his  own  security  consultancy.  “Then  scale  that  up  to  five  dif¬ 


ferent  banks’  credit  cards.”  Each  bank  loses  roughly  $20,000.  “The 
gain  is  concentrated  for  this  one  hacker  group,  but  the  penalty  to 
each  bank  is  still  written  off  as  acceptable  loss. 

“Then  go  to  law  enforcement.  Unless  they  hear  from  many  vic¬ 
tims  and  can  aggregate  the  problem  as  one  big  one,  so  that  the 
resources  required  to  chase  it  down  are  justified,  they  won’t,  they 
can’t  chase  it  down,”  Maloney  says. 

And  if  they  did  decide  to  open  an  investigation,  who  do  they  go 
after?  That’s  the  distributed  risk  element.  Groups  like  the  HangUp 
Team,  and  76  himself,  deal  in  access  to  credentials.  76,  for  example, 
barely  handles  stolen  data.  He  also  contracts  out  the  distribution  of 
his  malware.  And  he  sells  to  people  who  themselves  don’t  commit 
fraud  with  the  credentials  but  usually  turn  around  and  sell  them  to 
still  others  who  actually  commit  the  final  fraud  by  turning  stolen 
information  into  money  and  goods. 

That’s  several  links  in  a  supply  chain  all  sharing  the  risk.  (It’s 
instructive  to  note  that,  according  to  several  researchers,  one  of  the 
biggest  frustrations  for  groups  like  the  HangUp  Team  recently  has 
been  “newbies”  to  the  credentials  market  who  buy  a  credit  card  and 
immediately  rack  up  tens  of  thousands  of  dollars  in  luxury  goods 
on  that  card— essentially  concentrating  the  pain  and  threatening 
to  put  the  good  guys  on  the  scent.) 

The  Internet  criminals’  model  perfectly  mirrors  the  drug  cartel 
model,  which  relies  on  a  stratified  market  that  spreads  the  risk 
out  to  pushers,  distributors,  mules  and  manufacturers,  while  the 
money  flows  up  to  the  cartel.  Disrupting  the  middlemen— and 
that’s  what  the  HangUp  Team  is  becoming— doesn’t  solve  the 
problem.  Other  middlemen  will  simply  rise  to  fill  the  void,  much 
the  way  Smash  started  the  IAACA  to  fill  the  void  left  when  Shadow- 
Crew  was  taken  down. 

“Information  is  currency,  that’s  the  radical  change,”  says  Chris 
Rouland,  CTO  and  IBM  Distinguished  Engineer  with  IBM’s  Inter¬ 
net  Security  Systems  group.  “These  guys  don’t  need  to  steal  from 
anyone.  They’ve  moved  themselves  way  up  the  value  chain.” 

April— The  Iframe  Problem 

IN  EARLY  April,  the  Spring  Edition  76Service  server  in  Hong 
Kong  was  taken  down.  Filters  added  the  new  Gozi  variant  to  their 
lists  of  detected  malware.  On  the  run  again,  76  and  Exoric  would 
fold  up  their  tent  and  modify  Gozi  to  be  undetectable  again  while 
they  found  a  new  place  to  set  up  shop.  And  when  they  did,  the  steps 
would  start  again,  the  two  sides  entwined  in  an  endless,  uneasy 
foxtrot. 

Jackson  continued  to  help  where  he  could,  but  much  of  this  was 
out  of  his  hands.  He  had  since  immersed  himself  in  another  facet 
of  76Service— the  mechanism  by  which  it  distributed  malware. 

No  matter  how  inspired  the  idea  of  a  subscription  to  infected 
machines  was,  or  how  cleverly  engineered  the  bot  that  infected 
those  machines  was,  76s  and  Exoric’s  success  with  76Service,  sur¬ 
prisingly,  relied  on  something  they  didn’t  develop  themselves  but 
rather  contracted  out:  distribution. 

Iframes  were  the  distribution  mechanism  used  to  create  a  large 


26  www.csoonline.com  September  2007 


population  of  Gozi-infected  machines.  Iframes  are  a  browser  fea¬ 
ture  that  allows  websites  to  deliver  content  from  a  remote  website 
within  a  frame  on  a  page.  Think  of  stock  quotes  originating  from 
one  site  streamed  into  a  small  box  on  another  site. 

Criminal  hackers  exploit  this  feature  by  building  iframes  into 
pages  that  are  one  pixel  by  one  pixel— invisible  to  the  user.  Inside 
that  iframe  they  can  stash  executable  code  stored  at  another  site. 
Usually,  it’s  a  tiny  piece  of  software  called  a  downloader. 

A  downloader  is  a  single  redirect  instruction.  When  a  PC  visits 
the  iframed  website,  the  downloader  is  delivered  from  inside  the 
invisible  iframe  and  it  tells  the  browser  to  visit  to  some  other  IP 
address.  Its  job  is  done. 

Usually  this  address 
contains  another  down- 
loader,  which  repeats  the 
process.  For  obfuscation 
purposes,  this  may  happen 
several  times  before  one 
of  the  downloaders  finally 
points  to  a  server  contain¬ 
ing  malware.  The  malware 
is  delivered  through  the 
iframe  onto  the  PC.  This  is 
how  Gozi  got  on  machines. 

Jackson  knew  this 
from  the  beginning  of  his 
research.  What  he  did  not 
know  until  April  was  that  76 
and  Exoric  contracted  out 
for  their  iframes.  Iframes 
are  so  effective  and  easy  to 
implement  that  an  entirely 
new  business  has  emerged 
around  them.  Trolling  a 
discussion  board,  Jackson 
found  out  that  76Service 
contracted  with  a  group 
called  IFrameBiz.com. 

They  are  believed  to  be  one  of  the  first  and  most  important 
iframing  groups.  Their  business  model  is  simple  and  familiar.  They 
pay  for  click-throughs.  If  you  agree  to  host  their  iframe  code  on 
your  website,  you  receive  a  payout  every  Monday  by  PayPal,  e-Gold, 
Western  Union  or  other  method.  Base  rates  ranged  from  5  euros  a 
week  in  China,  10  euros  in  other  Asian  countries  and  40  euros  for 
“other  world.”  Payment  is  contingent  on  a  minimum  of 1,000  click¬ 
throughs.  (If  you  don’t  have  your  own  malware  to  deliver  through 
the  iframes,  they’ll  sell  you  the  executables  as  well.) 

A  few  euros  a  week  doesn’t  sound  like  much  money,  but  most 
IFrameBiz  customers  control  tens  or  hundreds  of  domains,  some 
active,  some  languishing.  Say  you  own  100  domains.  You  could 
drop  the  3KB  of  iframe  code  on  all  of  those  sites  and  make  500 
to  4,000  euros  just  for  letting  it  live  there.  Seeing  the  opportunity, 


some  entrepreneurs  are  buying  up  domains  just  to  host  the  iframe 
code  and  then  hustling  to  direct  traffic  to  their  sites. 

The  iframers  also  inject  their  iframes  into  legitimate  websites 
that  have  vulnerabilities. 

Then,  with  a  portfolio  of  infected  sites,  they  turn  around  and 
sell  access  to  their  network.  At  the  time  of  Jackson’s  research,  it 
was  $1  per  infection. 

No  one  knows  how  many  infected  sites  76Service  paid  for.  Font, 
com  was  one  site  that  accounted  for  many  Gozi  infections,  likely 
chosen  because  of  its  broadness  and  the  likelihood  that  less  savvy 
users  would  type  in  that  URL  if  they  were  looking  for  fonts.  Alche- 

mylab.com  was  another, 
according  to  Jackson. 
(Both  have  been  cleaned 
up  since.)  Jackson  and 
the  anonymous  researcher 
believe  76Service  may  have 
paid  a  premium  for  an 
enhanced  service— exclu¬ 
sive  access  to  and  manage¬ 
ment  of  the  iframed  pages. 
That  allowed  76  and  Exoric 
to  easily  move  their  site 
around  (as  the  good  guys 
had  forced  them  to)  with¬ 
out  having  to  constantly 
ask  the  iframers  to  recon¬ 
figure  the  iframes  to  point 
to  new  IP  addresses. 

Someone  looking  to 
deposit  malware  like  Gozi 
on  machines  has  few  bet¬ 
ter  options  than  iframes, 
because  of  their  ability 
to  intervene  without  the 
user’s  help.  Graham  Clue- 
ley,  of  the  antivirus  vendor 
Sophos,  says  his  company’s  research  shows  8,000  new  webpages 
per  day,  a  quarter  million  pages  per  month,  hosting  illicit  code  or 
activity,  most  of  which  are  iframe  exploits.  Of  those,  Clueley  says, 
70  percent  are  on  legitimate  websites.  Pesdato. 

Iframes  have  other  advantages  too.  Separating  the  distribution 
network  from  the  malware,  making  it  a  service,  speeds  up  rede¬ 
ployment,  because  once  a  site  hosts  an  iframe,  it  remains  available 
for  distribution  of  any  variant  or  new  piece  of  malware. 

Jackson  found  a  partial  list  of  sites  hosting  the  iframes  used 
exclusively  for  Gozi.  Jackson  sampled  5,848  pages,  only  a  portion 
of  the  infected  pages  on  his  partial  list  (meaning  7 6  and  Exoric 
probably  paid  tens  of  thousands  of  dollars  for  iframe  infections). 
Some  of  the  iframed  sites  on  his  list  were  offline.  Some  had  been 
cleaned  up.  But  2,07 9  of  them,  more  than  a  third  of  the  sample, 
still  had  the  code  online,  ready  to  deliver  new,  undetectable  ver- 


ILLUSTRATION  BY  DANIEL  BEJAR 


September  2007  www.csooniine.com  27 


Information  Security 


sions  of  Gozi  as  soon  as  they  were  ready.  A  month  later,  when 
Jackson  took  attendance  again,  98  percent  of  the  2,079  were  still 
hosting  the  ifrarne. 

Even  if  Gozi  was  gone  for  good,  the  iframers  would  be  happy  to 
resell  access  to  these  iframes  to  the  next  malware  developer. 

Transferred  Risk 

AS  MUCH  as  the  HangUp  Team  has  relied  on  distributed  pain 
for  its  success,  financial  institutions  have  relied  on  transferred  risk 
to  keep  the  Internet  crime  problem  from  becoming  a  consumer 
cause  and  damaging  their  businesses.  So  far,  it  has  been  cheaper 
to  institute  only  enough  security  to  pass  regulatory  audits  and  then 
absorb  the  fraud.  “If  you  look  at  the  volume  of  loss  versus  revenue, 
it’s  not  horribly  bad  yet,”  says  Hoff  from  Crossbeam,  with  a  nod  to 
the  criminal  hacker’s  strategy  of  distributed  pain.  “The  banks  say, 
‘Regulations  say  I  need  to  do  these  seven  things,  so  I  do  them  and 
let’s  hope  the  technology  to  defend  against  this  catches  up.’” 

John,  the  security  executive  at  the  bank,  one  of  the  only  security 


in  2004  to  2,200  this  year.  “That’s  not  a  lack  of  interest,”  says  Nel¬ 
son. 

Nelson  was  the  closest  person  to  bank  security  executives  who 
would  speak  on  the  record.  He  bristled  at  the  notion  that  banks  are 
carelessly  pushing  services  they  can’t  secure.  “It’s  being  misinter¬ 
preted  that  banks  don’t  care  about  security.  They  spend  millions  of 
dollars  on  this.  These  are  good,  quality  people,”  Nelson  says. 

If  anything,  say  Nelson  and  others,  blaming  banks  is  precisely 
backward.  If  you  want  to  point  fingers,  look  at  their  customers, 
who’ve  created  the  demand  for  the  product  in  the  first  place.  Hoff 
says,  “It’s  kind  of  ridiculous  to  think  you  wouldn’t,  as  a  bank,  use 
the  Internet  as  a  transport.  If  you’re  not  offering  some  form  of 
online  banking,  you’re  going  to  wither  away  and  go  out  of  busi¬ 
ness.” 

Eric  Johnson,  an  economist  at  Dartmouth  who  recently  pub¬ 
lished  a  study  about  malware  on  peer-to-peer  networks,  says,  “Cus¬ 
tomers  are  the  banks’  worst  enemies  here.  Customers  are  exposing 
lots  of  material  that  creates  an  environment  for  identity  theft.” 


“You  cant  walk  into  the  branch  of  a  bank 
with  a  mask  on  and  no  ID  and  make  a 
transfer.  So  why  is  it  OK  online?” 


professionals  from  financial  services  who  agreed  to  speak  for  this 
story,  says,  “If  you  audited  a  financial  institution,  you  wouldn’t  find 
many  out  of  compliance.  From  a  legal  perspective,  banks  can  spin 
that  around  and  say,  There’s  nothing  else  we  could  do.” 

The  banks  know  how  much  data  James  at  Secure  Science  is 
monitoring;  some  of  them  are  his  clients.  The  researcher  with 
expertise  on  the  HangUp  Team  calls  consumers’  ability  to  trans¬ 
fer  funds  online  “the  dumbest  thing  I’ve  ever  seen.  You  can’t  walk 
into  the  branch  of  a  bank  with  a  mask  on  and  no  ID  and  make  a 
transfer.  So  why  is  it  OK  online?” 

And  yet  banks  push  online  banking  to  customers  with  one  hand 
while  the  other  hand  pushes  problems  like  Gozi  away,  into  accept¬ 
able  loss  budgets  and  insurance— transferred  risk. 

As  long  as  consumers  don’t  raise  a  fuss,  and  thus  far  they 
haven’t  in  any  meaningful  way,  the  banks  have  little  to  fear  from 
their  strategies. 

But  perhaps  the  only  reason  consumers  don’t  raise  a  fuss  is 
because  the  banks  have  both  overstated  the  safety  and  security  of 
online  banking  and  downplayed  negative  events  around  it,  like  the 
existence  of  Gozi  and  76Service. 

The  banks  themselves  might  argue  that  they  are  acting  respon¬ 
sibly.  It’s  hard  to  tell  since  most  decline  to  talk  about  the  problem. 
Bill  Nelson  is  president  of  the  Financial  Services  Information 
Sharing  and  Analysis  Center,  or  FS-ISAC,  a  group  for  bank  secu¬ 
rity  executives  where  they  can  safely  share  intelligence  and  other 
information.  Membership  in  the  FS-ISAC  has  increased  from  68 


Indeed,  many  malware  problems  are  intimately  connected  to 
insecure  PCs  and  finicky  consumers  who,  even  if  they  say  other¬ 
wise,  value  convenience  over  security.  As  one  CISO  at  a  bank  put 
it— anonymously,  of  course— “Users  are  pretty  dumb.” 

May— A  Weak  Reemergence 

76  AND  Exoric  weren’t  just  the  managers  of  76Service;  they 
were  also  clients.  Through  his  undercover  work,  Jackson  found 
that  Exoric  owned  a  project  just  like  the  ones  the  team  sold.  Only, 
since  access  was  free  to  him,  his  was  a  much  bigger  project,  with 
hundreds  of  bots  focused  exclusively  on  Gozi-infected  machines  in 
Mexico  and  Chile  (.mx  and  .cl  domains),  and  no  30-day  expiration. 
For  a  while,  Exoric  also  used  his  own  storefront  for  the  Latin  and 
South  American  markets,  called  GucciService. 

But  by  May  the  business  was  strained  by  the  constant  pursuit  of 
researchers  writing  signatures  to  detect  Gozi  and  law  enforcement 
working  with  them  to  find  and  take  down  the  76Service  servers. 

Early  in  the  month,  Jackson  was  able  to  say,  “Gozi  isn’t  working. 
No  one  is  going  to  the  site.”  At  this  time,  his  personal  site  was  also 
the  victim  of  what  he  termed  a  poor  distributed  denial-of-service 
attack  that  lasted  36  hours.  Soon  after  that,  when  he  visited  76Ser- 
vice.com,  he  found  it  abandoned,  with  a  simple  message:  “I  choose 
shadow.  Please,  never  come  back  again.” 

It  seemed  that,  finally,  it  was  over.  But  it  wasn’t,  of  course.  In 
fact  even  before  Jackson  found  76Service.com  abandoned,  a  new 
Gozi  variant  was  already  at  work;  it  had  been  infecting  machines 


28  www.csoonline.com  September  2007 


- 


Smart  enough  to 
ScC  it  coming 


ProCurve  ProActive  Defense  allows  you  to  detect,  identify 
and  minimize  threats  before  they  compromise  your  network. 


View  our  free  video  at  www.procurve.com/defense 

Discover  how  ProCurve  Networking  by  HP  can  help  you  handle  today’s 
network  security  needs  and  adapt  to  tomorrow’s  security  challenges. 
For  more  information,  call  (800)  975-7684,  ref.  code  defense 


ProCurve 

Networking  by  HP 


—  The  leading  lifetime  warranty  in  the  industry*  — 


•For  as  long  as  you  own  the  product,  with  next-business-day  advance  replacement  (available  in  most  countries).  The  following  products  and  their  related  family  monies  have 
a  one-year  warranty  with  extensions  available:  ProCurve  Routing  Switch  9300m  Series.  ProCurve  Switch  8100fl  Series.  ProCurve  Access  Control  Server  745wf.q!^ProCurve 
Network  Access  Controller  800.  For  details,  refer  to  the  ProCurve  Software  License.  Warranty  and  Support  booklet  at  http://www.bp:com/rnd/ support/ wprranj|||idex.htm 
©  2007  Hewlett-Packard  Development  Company,  L.P  ;  fu&aME 


Information  Security 


since  at  least  April  14.  In  many  respects,  this  latest  Gozi  bot  was 
technically  more  sophisticated  than  ever.  It  had  added  keystroke 
logging  as  an  alternative  to  form  grabbing.  And  recognizing  that 
researchers  were  the  primary  adversaries,  the  new  version  added 
features  to  stymie  detection  and  reverse  engineering.  “Every  copy 
of  Gozi  has  a  unique  infection  ID,”  explains  Jackson.  “So  when  data 
comes  in  to  the  server  it  can  check  against  the  ID  to  make  sure  it’s 
a  valid  infection.  This  new  version  also  checked  to  see  what  your 
bot  had  sent  before.  Basically  it  could  shut  you  off  if  you  kept  log¬ 
ging  in  without  delivering  good  data,  which  is  what  researchers  do.” 
The  new  version  also  logged  the  bot’s  IP  address  so  that  it  could  be 
blocked  from  communicating  with  the  server. 

But  there  were  problems.  A  programming  glitch  caused  the 
service  to  create  huge  files  of  redundant  information,  interrupt¬ 
ing  service  to  customers  while  the  duo  tried  to  fix  it.  “That’s  why 
QA  testing  is  so  important,”  deadpans  Jackson.  They  had  only 
nabbed  about  500MB  of  data  off  of  200  infected  PCs  when  their 
new  ISP,  which  Jackson  says  was  based  in  Panama,  took  them 
offline  again. 

It  was  a  poor  reemergence.  Lurking  on  a  discussion  board  with 
a  colleague  who  could  translate  Russian,  Jackson  found  a  post  by 
someone  named  57,  a  hacker  thought  to  be  part  of  the  HangUp 
Team.  57  wrote  that  76  broke  off  work  with  Exoric  because  the  two 
were  spending  more  time  on  the  lam  than  running  the  service. 

The  FBI  had  wound  down  on  the  case,  according  to  Jackson 
(though  in  an  official  statement  given  to  CSO  from  the  press  office, 
the  FBI  says  it  welcomes  any  leads  on  information  related  to  Gozi 
and  76Service).  While  authorities  continued  to  monitor  some 
accounts  they  knew  were  connected  to  76Service,  Jackson  didn’t 
think  it  would  progress  beyond  that.  76Service  was  officially  defunct. 
By  early  June,  7 6  and  Exoric  had  dissolved  their  partnership. 

But  57  also  seemed  to  indicate  that  76  was  back  with  HangUp 
Team  and  busy  rewriting  the  Gozi  form  grabber.  The  new  archi¬ 
tecture  would  allow  76  to  hide  the  drop  servers  from  prying  eyes, 
making  it  harder  to  interrupt  or  shut  down  services. 

Jackson  predicted  at  the  time  that  a  new  76Service  would  follow 
in  kind.  After  all,  76Service  didn’t  fail  because  of  the  service  model. 
It  failed  because  of  a  lack  of  manpower  to  secure  and  manage  the 
service.  It  couldn’t  scale.  “I  think  they  cobbled  together  Gozi  and 
76Service  to  see  what  it  could  do,”  says  Jackson.  “They  realize  what 
they  need  to  do  next.  They  spotted  weaknesses.  Torpig  was  the  next 
step;  it  was  better.  Now  what’s  next?”  With  the  help  of  the  HangUp 
Team,  a  76Service-like  site  capable  of  enduring  its  own  success  will 
return,  using  some  descendant  of  Gozi  or  Torpig. 

The  Radical  New  Strategy? 

IF  USERS  are,  as  one  bank  CISO  said,  dumb;  and  if  banks  can 
just  write  off  their  losses;  and  if  the  Internet  is  fundamentally  inse¬ 
cure;  and  if  vendors’  defenses  can’t  keep  up;  and  if  law  enforce¬ 
ment  is  overmatched— what  happens  next? 

Don  Jackson  thinks  that  the  banks  will  simply  transfer  more  of 
the  risk.  “The  banks  are  worried,  but  their  answer  is  not  to  track 


these  guys  down  or  be  more  diligent  about  security,”  says  Jack- 
son,  who  says  he  remembers  talking  about  this  with  bank  secu¬ 
rity  types  at  last  year’s  Information  Systems  Security  Association 
(ISSA)  conference.  “Their  answer  is  to  shift  more  responsibility  on 
to  their  customers.  They’ll  lower  fraud  limits,  the  amount  of  stolen 
funds  they’ll  cover.  They’ll  make  it  harder  for  consumers  to  prove 
they  were  defrauded— and  easier  to  say  it  was  the  customer’s  fault. 
You’ll  have  to  prove  that  you  kept  your  end  of  the  deal  by  patching 
your  system  and  so  forth.  Watch  the  terms  of  use  for  online  bank¬ 
ing.  I  think  you’ll  see  changes.” 

Like  Jackson,  Chris  Rouland  of  IBM  ISS  believes  the  days  of 
acceptable  loss  at  the  banks  are  numbered,  but  he  has  a  hard  time 
seeing  a  “blame  the  customer”  strategy  succeed.  “This  thing  about 
putting  it  on  consumers,  it  will  end.  It  has  to,”  he  says. 

Rouland  says  that  he  is  rethinking  security  at  a  fundamental 
level,  and  many  others  in  the  industry  are  as  well.  “We’re  basically 
telling  banks  that  client  security  is  your  problem,  not  [your  custom¬ 
ers’]  problem.  All  the  awareness  in  the  world  cannot  adequately 
secure  client  machines.  Telling  customers  to  secure  themselves  will 
not  work.  We  believe  that  in  order  to  fix  the  problem,  you  have  to 
protect  customers’  customers.  You  have  no  choice.” 

Notice  Rouland  did  not  say  you  have  to  secure  the  client.  He 
never  says  the  banks  must  figure  out  a  way  to  protect  that  machine. 
That’s  careful  and  deliberate,  because  Rouland  doesn’t  believe 
that’s  what  banks  have  to  do.  When  it  comes  to  securing  PCs, 
Rouland’s  advice  is  radical:  Give  up. 

“In  the  next  generation,  we  will  all  do  business  with  infected 
end  points,”  he  says. 

“Our  strategy  is  to  figure  out  how  you  do  business  with  an  infected 
computer.  How  do  you  secure  a  transaction  with  an  infected 
machine?  Whoever  figures  out  how  to  do  that  first  will  win.” 

June— Disturbing  Developments 

BY  MID-JUNE,  Gozi  was  practically  forgotten,  and  the  new 
thing  was  Mpack.  This  one  even  had  some  veteran  researchers 
muttering  pesdato! 

A  typical  Trojan  like  Gozi  might  rely  on  one  exploit  to  try  to  open 
up  a  connection  with  the  target  PC.  Mpack,  on  the  other  hand,  is  a 
briefcase  full  of  exploits— a  dozen  or  more  of  them.  Mostly  they’re 
old  exploits,  but  the  idea  is  that  if  you  try  15  lock  picks,  one  is 
bound  to  get  you  in.  What’s  more,  Mpack  then  reports  back  to  its 
server  which  exploits  worked  where  and  stores  that  information 
in  a  database,  an  intelligence  function  used  to  effectively  pack  the 
briefcases  with  the  most  successful  lock  picks.  The  practice  seems 
to  have  vastly  increased  the  successful  infection  rate  of  PCs  that 
visit  sites  delivering  Mpack. 

Mpack  is  actually  sold  with  malware  such  that  once  the  brief¬ 
case  of  exploits  gets  access,  a  Trojan— often  Torpig— will  be  deliv¬ 
ered  to  the  PC.  Other  Trojans,  like  Apophis  (which  steals  digital 
certificates)  and  even  the  old  Nuclear  Grabber  that  Corpse  was 
hocking  more  than  a  year  ago  are  also  available  in  conjunction 
with  Mpack.  It  costs  hundreds  to  thousands  of  dollars. 


30  www.csoonline.com  September  2007 


There's  an  easier  way  to  safely  transfer  Todd's 
financial  data  over  FTP. 

(Without  wasting  manpower  on  costume  design.) 

There  isn't  much  IT  managers  won't  try  when  it  comes  to  securing  file  transfers.  But 
drastic  measures  (even  the  creative  ones)  run  the  risk  of  wasting  valuable  resources  and 
hindering  employee  productivity.  Tumbleweed  delivers  serious  protection,  simply.  With 
a  product  suite  that's  quick  to  deploy,  easy  to  manage  and  intuitive  to  use,  file  transfers 
are  a  snap — no  masterful  disguises  necessary. 


www.tumbleweed.com/easierway 


F3  Tumbleweed 


Messaging.  Secure  and  Simple. 


©  2007  Tumbleweed  Communications  Corp.  All  rights  reserved.  Tumbleweed  and  the  Arrows  logo  are  registered 
trademarks  of  Tumbleweed  Communications  Corp.  in  the  United  States  and/or  other  countries. 


Information  Security 


Researchers  still  trying  to  penetrate  this  service  say  that  Mpack 
is  being  sold  by  “sash,”  likely  the  same  sash  who  posted  news  of 
Corpse’s  semi-retirement  on  the  Pinch3.net  discussion  board. 
(Sash  sells  Pinch  too).  Sash  in  turn  seems  to  be  working  with 
Step57,  a  group  likely  run  by  57,  the  HangUp  Team  coder  who 
had  posted  the  news  of  76Service’s  demise.  All  of  these  players 
have  connections  to  the  Russian  Business  Network,  according  to 
several  researchers,  including  Jackson. 

Mpack’s  multiple-exploit  technique  was  used  before  in  an 
exploit  called  WebAttacker.  But  Mpack  is  more  effective  because 
of  iframes.  Disturbingly,  the  iframers  seem  to  have  come  up  with 
some  automated  exploit  kit  capable  of  infecting  a  massive  number 
of  webpages  with  illicit  iframes  in  a  short  period  of  time,  “like 
a  machine  gun  spraying  holes  in  sites,”  says  James  from  Secure 
Science.  The  first  round  of  iframe  injections  created  to  deliver 


criminal  hackers  just  developed  Briz,  code  that  captures  the  pix¬ 
els  around  the  cursor,  the  pictures  of  the  characters  being  typed. 
Problem  solved. 

The  criminals  innovate.  Some  tactics  will  make  the  hair  on  your 
neck  prickle.  Rumors  persist  of  a  nasty  Brazilian  banking  Trojan 
that  can  change  bank  account  numbers,  routing  numbers,  balance, 
and  payment/transfer  values  by  injecting  HTML  or  even  whole, 
cloned  HTTP  requests  into  an  online  banking  session  on  the  fly, 
such  that  the  person  banking  would  see  false  information  that 
reflected  their  intentions  and  not  the  actual  transfer.  Rouland  of 
IBM  has  seen  similar  functionality  in  a  bot  called  Grams. 

Prg,  another  form-grabbing  Trojan  discovered  last  October, 
makes  researchers  awfully  nervous.  New  variants  emerge  every 
couple  of  months  and  steal  tens  of  gigabytes  of  data  before  being 
detected.  Prg’s  encryption  is  strong  and  well-designed,  its  ability 


'The  iframers  are  making  a  killing/’  Jackson 
says.  “They  don’t  get  their  hands  dirty  with  the  actual 
malware.  It’s  a  good  business  to  be  in  right  now.” 


Mpack  showed  up,  literally,  overnight— more  than  10,000  pages 
were  infected,  mostly  on  Italian  sites.  Since  then  the  process  has 
repeated  itself,  moving  country  to  country.  Thousands  of  infec¬ 
tions  all  at  once. 

Researchers  are  still  trying  to  understand  what  allows  the 
deployment  of  so  many  iframes  so  quickly.  Mostly  they’re  report¬ 
ing  on  rumors  and  theories.  Using  a  virtual  host  to  infect  many 
sites  is  one  working  theory.  But  no  one  knows  yet  for  sure  how  it’s 
done.  What  they  do  know  is  iframing  is  officially  pandemic.  “The 
iframers  are  making  a  killing,”  Jackson  says.  “They  don’t  get  their 
hands  dirty  with  the  actual  malware.  They  just  break  into  a  server 
with  scripts.  It’s  a  good  business  to  be  in  right  now.” 

Fraud  4ever 

“THE  THING  about  Mpack,”  says  James,  is  that  “this  is  the  start 
of  the  whole  thing.”  By  this  he  seems  to  mean  the  golden  age  of 
Internet  crime,  that  dawning  era.  “They’re  starting  to  think  like 
architects  instead  of  engineers.”  Mpack  brings  together  the  best 
iframes,  the  best  exploits  and  some  state-of-the-art  malware  into 
a  single  package,  all  of  which  is  being  improved  constantly,  and 
sold  with  a  focus  on  customer  service.  In  marketing  parlance,  it’s 
not  a  product,  it’s  a  solution. 

Business  is  good.  Internet  criminals  operate  with  de  facto 
immunity.  The  pool  of  vulnerable  computers  to  exploit  remains 
massive.  The  target  financial  institutions  still  treat  this  crime  as 
acceptable  loss.  Law  enforcement  is  otherwise  occupied.  And 
technical  defenses  are  mere  market  conditions  to  adapt  to.  For 
example,  when  some  clever  banks  came  up  with  a  way  to  beat 
keylogging  by  having  users  use  “virtual  keyboards”  on  the  screen, 


to  hide  itself  with  antiforensics  deft. 

In  June,  Jackson  found  a  new  Prg  variant.  It  shipped  with  a 
development  kit  that  allows  anyone  who  buys  it  to  adapt  the  code 
on  the  fly  in  order  to  evade  antivirus  and  antispyware.  On  the 
server  where  he  found  it,  he  also  found  a  staging  area  where  new 
variants  were  already  developed  and  waiting  to  be  released  as  soon 
as  the  defenses  recognized  and  blocked  the  current  variant.  He 
also  found  a  couple  of  drops  for  two  groups  who  had  bought  Prg 
and  distributed  it  through  both  iframes  and  some  good  old-fash¬ 
ioned  “click  on  this  link”  e-mails.  The  drops  comprised  10,000 
account  credentials,  including  second  factors  of  authentication 
and  answers  to  those  security  check  questions  (such  as  “what  is 
your  mother’s  maiden  name?”)  meant  to  layer  extra  security  into 
the  online  banking  process. 

After  Jackson  discovered  the  Prg  variant,  he  learned  of  two 
more  Gozi  variants  found  in  the  wild.  The  executable  inside 
these  versions  is  called  7 6.exe,  and  is  probably  the  product  of  76s 
reunion  with  the  HangUp  Team.  It  has  vastly  improved  its  server 
network  and  obfuscation  techniques.  It  bounces  traffic  from  coun¬ 
try  to  country.  It  hides  its  drops  well.  In  fact,  Jackson’s  not  sure 
what  it  even  connects  to.  He’s  looking  for  the  front  end,  the  next 
76Service.  He  knows  it’s  out  there. 

But  so  far  he  can’t  find  it. 

“There’s  a  consumer  side  of  me  that  says,  Be  cautious  but  life 
must  go  on.  Someone  somehow  will  take  care  of  this,”  says  Cross¬ 
beam’s  Hoff.  “And  the  security  side  of  me  wants  to  curl  up  in  the 
fetal  position  and  not  go  out.”  ■ 


Contact  Executive  Editor  Scott  Berinato  at  sberinato@cxo.com. 


32  www.csoonline.com  September  2007 


c& 


% 


^tio. 


nSi 


Ok 


Certified  Inf  ormtion  Security  Manager 


IMPROVE  YOUR 
PROFESSIONAL  skills 
(ADVANCE  TO 
CREDIBILITY  AVENUE) 


yste. 


Exam  Registration  Deadline:  26  September 
Exam  Date:  9  December  2007 

Certified  Information  Systems  Auditor™ 

www.  isaca.  org/csomag 

CISM 

CERTIFIED  INFORMATION  / 

SECURITY  MANAGER'  I 


—fiSACA 

Serving  IT  Governance  Professionals 


Rick  Santoro,  EVP  of  asset 
protection  and  risk  management, 
says  Trump  Entertainment 
Resorts  is  proceeding  with  — 
basic  analytics  applications, 
while  prices  slowly  fall  and 
the  technology  matures. 


Video  content  analysis  is  getting  better 
all  the  time,  but  it’s  still  new  enough  that 
buyers  should  proceed  with  eyes  wide  open 

By  Sarah  D.  Scalet 


ICK  SANTORO,  who’s  in  charge  of  security 
for  Trump  Entertainment  Resorts  in  Atlantic  City, 
N .J.,  would  seem  the  ideal  candidate  for  using  video 
content  analysis— that  is,  technology  that  helps 
organizations  draw  intelligence  from  their  surveil¬ 
lance  video.  Hotel  and  casino  operators  like  San¬ 
toro’s  company  are  known  for  having  cutting-edge 
surveillance,  the  better  to  prevent  loss  and  fraud  on 
their  high-stakes  gambling  floors. 

Yet  Santoro  is  taking  a  cautious 
approach.  He’s  only  now  testing  sys¬ 
tems  from  several  vendors  and  integrators 
that  could  help  his  security  group  monitor 
places  like  storage  facilities,  hotel  lob¬ 
bies,  parking  garages  and  event  venues  for  the  $1  billion 
company.  But  he  doesn’t  think  analytics 
tools  are  good  enough  to  capture,  real¬ 
time,  the  kind  of  sleight-of-hand  move¬ 
ments  his  group  is  watching  for  on  casino 
floors.  Instead,  Santoro  is  looking  to  find 
ROI  with  basic  applications— such  as  set¬ 
ting  up  cameras  in  liquor  storage  areas 
so  that  they  record  only  when  motion  is 
detected.  With  an  emerging  technology  like 


IN  THIS  STORY  Uses  of 
video  analytics  ■  Key 
evaluation  and  purchase 
considerations 


PHOTO  BY  PETER  MURPHY 


September  2007  www.csoonline.com  35 


Cover  Story  |  Video  Analytics 


video  analytics,  he  says,  proceeding  slowly 
is  smart. 

“The  longer  we  wait  and  research  and 
look,  the  better  the  technology  that  were 
seeing  is,  and  also  the  cheaper  and  more 
reliable  it  is,”  says  Santoro,  whose  full  title 
is  executive  vice  president  of  asset  protec¬ 
tion  and  risk  management.  “Five  years  ago 
was  light-years  behind  the  technology  that’s 
around  today.” 

That’s  one  statement  that  everyone 
seems  to  agree  with.  Video  analytics  has 
come  a  long  way  from  the  hyped-up,  gee- 
whiz  technology  of  a  few  years  ago  that 
promised  way  more  than  it  could  deliver. 
“A  lot  of  people  had  bad  experiences,  espe¬ 
cially  with  the  outdoor  [analytics  tools],” 
which  were  expensive,  hard  to  configure 
and  didn’t  always  work,  says  Sandra  Jones, 
principal  at  an  eponymous  security  consul¬ 
tancy  that  focuses  much  of  its  attention  on 
video  surveillance.  “The  pioneers  have  a  lot 
of  arrows  in  their  back,  but  I  have  to  give 
them  a  lot  of  credit  because  they  were  ahead 
of  the  technology  curve.” 

The  good  news  is,  the  technology  has 
improved  enough  that  organizations,  slowly 
but  surely,  are  finding  that  analytics  tools 
can  help  them  make  sense  of  all  the  video 
they  are  collecting  and  even  find  an  ROI— 
but  only  if  they  are  careful  shoppers.  Here’s 
what  to  know  before  you  begin. 

Tipi  Understand 
the  Marketplace 

Once,  video  analytics  was  largely  a  software 
business,  with  applications  residing  on  cen¬ 
tral  servers  or  digital  video  recorders.  These 
applications  were  (and  still  are)  based  on 
algorithms  that  monitor  for  specific  events— 
motion  detection,  intrusion  detection,  entry 
through  an  exit  and  so  on.  Some  of  the  ana¬ 
lytics  companies  are  still  focused  on  only 
the  software.  For  instance,  the  flagship 
product  for  Aimetis  is  supposed  to  work 
on  any  standard,  networked  PC. 

Increasingly,  however,  the  industry  is 
moving  toward  embedding  the  software 
into  hardware  devices  and  selling  the  whole 
thing  as  a  package,  says  James  McManus, 
research  analyst  at  IMS  Research.  Longtime 
market  leader  ObjectVideo  has  stopped 


selling  its  software  to  end  users.  Instead, 
the  company  develops  software  that  runs 
on  digital  signal  processing  (DSP)  chips 
that  are  manufactured  by  original  equip¬ 
ment  manufacturers  (OEMs)  such  as  Cisco, 
EMC  and  Texas  Instruments.  The  OEMs 
then  install  the  DSP  chips  onto  back-end 
storage  devices,  networks,  digital  cameras 
or  encoders. 

(An  encoder  is  a  device  that  translates 
analog  video  feed  into  digital  information. 
In  other  words,  you  don’t  need  to  have  digi¬ 
tal  cameras  in  place  to  do  video  analytics,  as 
long  as  your  analog  cameras  are  compatible 
with  encoders  that  can  translate  the  signal 
into  a  digital  feed.) 

Some  large  companies,  including  Bosch, 
Honeywell  and  Sony,  are  building  analyt¬ 
ics  into  the  digital  cameras  they  already 
sell.  Other  specialty  companies  such  as 
Verint  Systems  and  NICE  Systems  focus 
on  analytics  but  develop  and  sell  the  whole 
kit  and  caboodle— from  video  manage¬ 
ment  software,  to  cameras  and  encoders, 
to  the  analytics  software  itself.  This  shifting 
marketplace  leads  to  some  strange  bedfel¬ 
lows.  ObjectVideo  and  Verint  Systems  are 
competitors  but  partners  as  well:  Verint 
has  developed  some  of  its  own  algorithms 
and  also  licenses  some  of  ObjectVideo’s 
algorithms  and  sells  them  on  its  own  hard¬ 
ware. 

Tip  2  Start  With  Your 
Business  Need— Then 
Select  the  Technology 

The  latest  video  analytics  tools  claim  to  do 
very  sophisticated  activities,  from  identi¬ 
fying  loiterers  to  detecting  vandalism  to 
monitoring  crowds  for  dropped  baggage. 
When  evaluating  your  options,  you  may  be 
tempted  to  get  carried  away.  Don’t.  Always 
start  with  the  business  need,  then  see  if 
there  is  technology  that  could  fill  it— not 
the  other  way  around. 

“It’s  like  every  other  decision,”  Jones  says. 
“What  is  the  return  on  investment,  what 
is  the  value  it  can  bring  my  organization, 
and  what  can  it  help  me  accomplish  that 
I  can’t  accomplish  any  other  way?”  Could 
analytics  allow  you  to  reduce  your  security 
guard  force?  Could  it  let  you  monitor  a 


Pure 

Video 


COMPANY 


ui 

os 

i 

H 

u. 

O 

</) 


Aimetis 

Kitchener,  Ontario,  Canada 
www.aimetis.com 


Cernium 

Reston,  Va. 
www.cernium.com 


iOmniscient 

New  South  Wales,  Australia 
www.iomniscient.com 


ObjectVideo 

Reston,  Va. 
www.objectvideo.com 


Vidient  Systems 

Sunnyvale,  Calif. 
www.vidient.com 


os 

i 

o 

os 

< 

X 


3VR  Security 

San  Francisco 
www.3vr.com 


loimage 

Herzliya,  Israel 
www.ioimage.com 


Mate  Media  Access 
Technologies 

Yehud,  Israel 
www.mate.co.il 


NICE  Systems 

Ra’anana,  Israel 
www.nice.com 


Verint  Systems 

Melville,  N.Y. 
www.verint.com 


o  X 
*-  o 

z  < 
oS 


Emitall  Surveillance 

Montreux,  Switzerland 
www.emitall.com 


36  www.csoonline.com  September  2007 


m£  TO-fji  Key  facts  about  independent 

Ifl  analytics  companies*  identified  by 

IMS  Research,  as  well  as  a  smaller 

A  J  company  identified  as  One  to  Watch. 

Additional  information  provided  by 

■1  ICwAlr  company  websites  and  Hoover’s. 

L. 

DESCRIPTION 

PRODUCTS 

This  small,  private  company  founded  in  2001,  which  has  offices  in  Canada 
and  Germany,  specializes  in  software  for  surveillance  and  business  intel¬ 
ligence.  Annual  sales  of  $0.4  million,  according  to  Hoover's. 

Its  flagship  product,  AIRA  2005,  enables  video  recording  and  analysis  on  any 
standard,  networked  PC.  The  company  also  sells  software  to  OEMs  for  people 
counting,  left-item  detection,  liquid-spill  detection  and  other  functions. 

Cernium  got  its  start  back  in  1996  with  software  that  allowed  airports  to 
monitor  for  people  trying  to  enter  through  an  exit  lane.  Partnership  with 
Toshiba,  which  is  integrating  Cernium's  video  analysis  solutions  into  its  IP 
cameras.  Annual  sales  of  $3.9  million,  according  to  Hoover’s. 

In  addition  to  its  original  software,  Cernium  now  also  sells  Perceptrak,  which 
monitors  for  activities  such  as  people  lurking,  crowds  forming  and  objects 
being  moved;  and  CheckVideo,  which  measures  security  camera  quality. 

Founded  in  2001,  iOmniscient  sells  video  analytics  software  that  can  be  used 
with  a  variety  of  cameras  and  systems.  Annual  U.S.  sales  of  $0.3  million, 
according  to  Hoover's. 

The  company’s  algorithms  include  monitoring  crowds  for  abandoned  objects, 
theft  and  vandalism,  as  well  as  people-counting,  slip-and-fall  detection  and 
perimeter  protection. 

This  private  company,  backed  by  venture  capital,  is  the  largest  software  com¬ 
pany  in  the  video  analytics  space.  ObjectVideo  grew  out  of  Defense  Advanced 
Research  Projects  Agency  in  1998.  OEM  partners  include  American  Dynam¬ 
ics,  Cisco,  Texas  Instruments  and  Verint  (which  is  also  a  competitor). 

ObjectVideo  doesn't  sell  to  end  users  but  instead  develops  software  that  runs 
on  digital  signal  processing  chips  installed  by  OEMs  onto  cameras,  encoders, 
networks  or  back-end  storage  devices.  Wide  range  of  algorithms  available. 

This  venture  capital-backed  software  developer  was  spun  off  from  NEC  Labs 
in  2004.  Partners  include  3VR  Security,  which  is  also  a  competitor.  Annual 
sales  of  $0.2  million,  according  to  Hoover’s. 

The  SmartCatch  family  of  products  has  modules  for  detecting  loitering, 
piggybacking,  stopped  vehicles,  removed  objects  and  more. 

Backed  by  venture  funding,  including  the  U.S.  government's  intelligence 
investment  arm  In-Q-Tel,  3VR  focuses  on  searchable  video  surveillance. 
Acquired  Amcrin,  which  developed  a  network  of  known  criminals  that  was 
shared  by  law  enforcement  and  banks.  Annual  sales  of  $6  million,  according 
to  Hoover’s. 

3VR’s  flagship  product  is  a  digital  video  recorder  that  uses  facial  biometrics 
technology  to  locate  a  single  person  across  multiple  security  events. 

Founded  in  2000,  this  prominent  Israeli  company  with  U.S.  headquarters  in 
Denton,  Texas,  focuses  on  devices  that  do  video  analysis  on  the  edge  of  the 
network.  Partnership  with  Texas  Instruments.  Annual  sales  of  $3.3  million, 
according  to  Hoover’s. 

Company  sells  IP  cameras  and  encoders  with  built-in  capabilities  that 
include  detection  of  intrusions,  stopped  vehicles,  unattended  bags  and 
object  removal. 

Founded  in  1997,  this  venture-capital-backed  Israeli  company  with  U.S. 
offices  in  McLean,  Va.,  sells  a  variety  of  devices  with  embedded  video 
analytics.  Annual  sales  of  $1  million,  according  to  Hoover's. 

Latest  offerings  include  a  system  to  detect  tailgating  and  piggybacking 
through  access-controlled  doors. 

Founded  in  1988,  NICE  specializes  in  the  capture  and  analysis  of  information 
in  contact  centers  as  well  as  from  video.  Publicly  held  company  with  2006 
revenue  of  $410  million. 

Company  sells  DVRs  and  IP  video  devices,  including  encoders  and  decoders, 
as  well  as  software  for  unattended  baggage  monitoring,  people-counting, 
counterflow  detection  and  other  functions. 

Verint  Systems  sells  products  for  monitoring  both  communications  and 
video  data.  Formerly  Comverse  Infosys,  it  is  60  percent  owned  by  Comverse 
Technology,  according  to  Hoover’s.  2006  sales  of  $374  million,  according  to 
preliminary,  unaudited  company  statement. 

Company  focuses  on  end-to-end  solutions,  encompassing  video  management 
software,  cameras  or  encoders,  and  analytics  software,  which  is  developed 
in-house  or  licensed  from  ObjectVideo. 

Company  sells  remote  surveillance  products  for  homes,  small  businesses  and 
police  departments. 

*Chart  includes  only  companies  that  are  focused  on  video  analytics.  Many  large  e 
Tyco,  also  sell  hardware  with  video  analytics  capabilities,  which  may  be  develops 
analytics  business  into  an  independent  company,  VideolQ. 

Emitall  is  working  on  a  privacy  protection  system  that  blurs  out  distinguish¬ 
ing  features  of  people  captured  on  video  but  allows  authorities  to  access 
clear  pictures  as  needed. 

lectronics  companies,  including  Bosch,  Honeywell,  Panasonic,  Sony,  Toshiba  and 
;d  in-house  or  obtained  through  licensing  deals.  GE  Security  recently  spun  off  its 

September  2007  www.csoonline.com  37 

Cover  Story  |  Video  Analytics 


site  remotely  and  save  money  on  gasoline? 
Could  it  help  manage  all  the  video  infor¬ 
mation  you’re  collecting  or  let  you  conduct 
investigations  more  efficiently?  Prices  have 
come  down,  Jones  says,  but  the  technology 
is  still  expensive. 

One  way  vendors  are  dealing  with  this  is 
by  moving  to  packaged  models,  with  groups 
of  algorithms  targeted  at  specific  industries. 
Cernium,  for  instance,  got  its  start  selling 
software  that  allows  airports  to  monitor  for 
people  entering  through  an  exit  lane.  Now 
the  company  (which  has  licensed  its  soft¬ 
ware  to  the  OEM  Toshiba)  sells  packages 
for  education,  cultural  institutions,  gaming, 
governments,  retail  and  other  industries. 
Even  within  these  packages,  however,  you 
might  not  need  all  the  tools. 

At  Trump,  a  lot  of  the  technology  “is  over¬ 
kill  for  us,”  Santoro  says.  “We  are  looking 
for  basic,  simplistic  ways  to  alert  our  people 
to  changes  in  areas.  We’re  not  inclined  to 
go  with  too  many  bells  and  whistles.  A  lot 
of  the  systems  have  so  many  features  and 
so  many  things  that  you  end  up  not  using 
them.” 

Tip  3  Think  About 
Whether  On-the-Edge 
Analytics  Makes 
Sense  for  You 

Another  key  decision  is  whether  you  want 
to  have  content  analysis  performed  “on  the 
edge”— that  is,  on  digital  video  cameras  or 
encoders,  rather  than  on  servers  or  DVRs. 
Analysts  say  this  is  where  the  industry  is 
heading,  but  right  now  you  still  have  a  lot 
of  options. 

The  advantage  of  on-the-edge  analytics 
is  that  content  analysis  can  be  performed 
when  the  video  is  of  its  highest  quality, 
before  it  is  compressed  to  be  sent  over  the 
network  and  stored.  A  traditional,  central¬ 
ized  model,  however,  provides  more  flexibil¬ 
ity.  One  DVR  or  server  can  do  analytics  on 
more  than  one  camera  feed,  which  means 
that  capabilities  can  be  directed  and  redi¬ 
rected  based  on  the  needs  of  the  minute. 

Which  direction  to  go,  says  Frost  & 
Sullivan  research  analyst  Dilip  Sarangan, 
depends  largely  on  your  organization’s  net¬ 
work  capabilities  and  what  the  IT  depart- 


Gee-Whiz 

Factors 

Some  of  the  things 
video  analytics 
technology  aims 
to  do  or  to  detect 

■  Motion 

■  Intrusion 

■  Left  item 

■  Object  removal 

■  Liquid  spill 

■  Loitering/crowds  forming 

■  Fire 

■  Vandalism 

■  Piggybacking/tailgating  (more 
than  one  person  or  car  at  a  time 
entering  through  an  access  point) 

■  Traffic  monitoring 

(for  slowed  or  stopped  traffic) 

■  Object  tracking 

■  People-counting 

■  Camera  function 

ment  is  willing  to  put  on  the  network,  since 
video  traffic  tends  to  be  a  bandwidth  hog. 
The  decision  may  influence  which  vendors 
you  want  to  consider.  Some  vendors,  such  as 
Cernium,  focus  on  centralized  tools,  while 
others  such  as  Ioimage  focus  on  on-the- 
edge  setups.  A  lot  of  vendors,  however,  do 
sell  both. 

Tip  4  Test,  Test,  Test, 
Before  You  Write  the  Check 

Once  you  identify  your  business  need  and 
narrow  down  the  field,  it’s  time  to  start 
testing.  Video  analytics  technology  is  able 
to  deliver  on  more  of  its  promises  than  it 
could  a  few  years  ago.  Even  today,  however, 
the  technology  must  be  configured  correctly, 
and  it  may  not  work  at  all  in  certain  situa¬ 
tions. 

“Of  course  [the  vendors  are]  going  to  say 
it’s  great;  it  does  all  this  kind  of  stuff,”  warns 
IMS  Research’s  McManus.  But  be  suspi¬ 
cious.  Integration  is  a  problem.  So  are  false 
positives.  Fortunately,  vendors  may  be  will¬ 
ing  to  let  you  try  out  the  hardware  or  soft¬ 
ware  for  a  month  or  two  before  you  actually 


write  any  checks.  Insist  on  it. 

That’s  what  Brian  Ishikawa  at  the  Bank 
of  Hawaii  did.  Ishikawa,  vice  president  and 
director  of  corporate  security  at  the  Hono¬ 
lulu-based  bank,  was  interested  in  one  of 
the  more  pie-in-the-sky  applications  of 
video  analytics— 3 VR  Security’s  digital 
video  recorders,  which  incorporate  facial 
biometrics.  The  company  claims  that  its 
facial  recognition  technology  allows  cus¬ 
tomers  to  search  through  video  archives 
and  find  all  the  times  a  given  person  shows 
up  on  camera. 

For  Ishikawa,  the  pitch  was  powerful. 
If  someone  cashes  a  forged  check,  Ishika- 
wa’s  group  might  be  able,  without  much 
research  time,  to  look  for  other  instances 
where  that  same  person  had  appeared,  pos¬ 
sibly  cashing  other  forged  checks.  Not  only 
would  this  allow  the  bank  to  ensure  that  the 
same  investigator  was  working  both  cases, 
it  could  also  help  aggregate  small  check 
fraud  cases  to  make  prosecution  easier. 

Ishikawa  borrowed  a  test  unit  to  install 
in  one  of  the  bank’s  branches  for  a  trial 
period.  “You  can  set  the  system  to  a  per¬ 
centile  scoring  of  possibilities,”  he  says.  “If 
you  set  it  on  a  higher  possibility,  it’ll  give 
you  fewer  photos  to  view.  If  you  lower  that 
percentage,  you  may  have  a  lot  more  false 
positives,  but  you  might  capture  the  party 
with  no  glasses  and  no  beard.”  Overall,  he 
was  happy  enough  with  the  results  to  put 
together  a  business  case,  which  persuaded 
management  to  invest  in  some  of  the 
devices. 

Even  now,  though,  he’s  proceeding  slowly. 
The  system  could,  conceivably,  be  used  for 
marketing  purposes,  with  alerts  set  up  to 
notify  bank  employees  when  an  important 
customer  walks  in  the  door.  But  Ishikawa 
hasn’t  ventured  there  yet.  In  fact,  he  hasn’t 
even  firmed  up  plans  to  install  the  DVRs 
in  all  90  bank  facilities,  because  he  doesn’t 
want  to  end  up  with  something  that’s  widely 
installed  but  out  of  date. 

“The  technology  is  moving  so  fast,”  he 
says,  “that  a  lot  of  times  it’s  hard  to  make  a 
decision,  enterprisewide.”  ■ 


Senior  Editor  Sarah  D.  Scalet  can  be  reached  via  e-mail 
at  sscalet@cxo.com. 


38  www.csoonline.com  September  2007 


The  HID  RP40  multiCLASS™  Reader  reads  the  most 
popular  proximity  cards  and  smart  cards.  It’s  the 

ultimate  migration  solution.  The  RP40  is  a  multi-technology 
card  reader  that  makes  it  easy  to  upgrade  a  proximity  card  system  to  a 
13.56  MHz  contactless  smart  card  technology  such  as  HID  iCLASS®. 
Whether  you’re  making  the  transition  in  a  single  building  or  across 
multiple  facilities,  you  can  do  it  at  your  own  pace,  employing  multiple 
card  technologies.  Unlike  other  “smart”  card  readers  that  only  scan  the 
serial  numbers  of  iCLASS,  the  RP40  offers  the  enhanced  security  of 
mutual  authentication  and  data  encryption.  Convenient.  Flexible. 

Secure.  For  the  perfect  migration  path,  The  HID  RP40  multiCLASS  is 
required  reading. 


hidcorp.com 


A  Disclosure  Proposal 

Two  attorneys  lead  an  online  debate  on  how  a 
federal  breach  disclosure  law  ought  to  look 


Ever  since  California  passed  its 
groundbreaking  data  breach  dis¬ 
closure  law  (the  famous  California 
SB  1386)  back  in  2003,  legislators  across 
the  country  have  been  working  on  similar 
laws  that  would  require  companies  to  notify 
customers  whose  personal  information  has 
been  compromised.  Lawmakers  in  at  least 
37  other  states  have  succeeded  in  passing 
similar  legislation,  creating  what  many 
businesses  complain  is  a  unruly  patchwork 
of  laws.  Meanwhile,  the  U.S.  Senate  and 
House  of  Representatives  are  still  trying  to 
hammer  out  a  federal  version  that  everyone 
can  agree  on.  Or  at  least  live  with. 

Never  ones  to  shirk  a  challenge,  we  at 

40  www.csoonline.com  September  2007 


CSO  wondered  if  our  own  readers  couldn’t 
come  up  with  a  more  perfect  disclosure 
law  than  any  of  those  proposals  that  are 
meandering  through  committees  on  Capi¬ 
tol  Hill.  Two  attorneys  from  the  law  firm 
Mintz,  Levin,  Cohn,  Ferris,  Glovsky  and 
Popeo,  which  represents  corporate  clients 
in  a  range  of  industries,  agreed  to  start  the 
discussion  at  their  itinerant  blog  on  CSOon- 
line.com,  Security  Legislation  Sound  Off. 
There,  Cynthia  Larose  and  Stefani  Watter- 
son,  both  of  whom  are  certified  information 
privacy  professionals,  got  the  debate  rolling 
with  a  couple  lists  of  what  the  legislation 
might  contain  and  asked  readers  to  weigh 
in  on  how  to  craft  the  act. 


From  the  perspective  of  businesses, 

Larose  and  Watterson  suggested  that  the 

law  might  include: 

■  Clear  definitions  of  what  is  and  what  is 
not  a  “breach.” 

■  Clear  standards  for  how  and  when 
notification  is  to  be  provided. 

■  Clear  standards  regarding  who  must 
provide  notification— data  owners  or 
the  party  responsible  for  the  breach. 

■  A  notification  trigger  that  allows 
determination  of  possibility  of  harm  or 
misuse  of  the  data  before  notification 
is  required. 

■  “Safe  harbor”  or  exclusion  if  encrypted 
data  is  compromised. 

■  No  private  right  of  action.  Enforce¬ 
ment  by  the  Federal  Trade  Commission 
under  FTC-promulgated  rules  (like 
Gramm-Leach-Bliley  and  Can-Spam). 

■  Clear  federal  preemption  of  all  similar 
state  laws. 

ILLUSTRATION  8Y  ELLIOTT  GOLDEN 


ADVERTISING  SUPPLEMENT 


cso 

Custom  Solutions  Group 


•  1 1 1  •  1 1 1  • 
CISCO 


Executive  Summary 

The  constantly-changing 
landscape  of  cyber  threats  and 
increasing  automation  of  business 
processes  underscores  the 
necessity  of  the  self-defending 
network.  Many  CSOs  are 
successfully  throttling  attacks 
with  adaptive  security  strategies 
that  leverage  deep  integration 
and  collaboration  between 
components.  This  report  explores 
how  these  strategies  are  quickly 
evolving  and  expanding  to  address 
the  next  generation  of  threats. 


The  global  Internet  continues  to  change  how 
we  work,  live,  play  and  learn.  For  the  better,  it's 
connecting  people,  information  and  business 
processes  in  ways  we  could  never  have  imagined. 
For  the  worse,  it's  creating  greater  opportunities 
fora  sophisticated  new  breed  of  criminals  whose 
imaginations  are  now  hard  at  work. 

"As  we've  gained  control  over  many  aspects 
of  security,  the  bad  guys  have  gone  deep 
underground  and  stealthily  refocused  on  the  doors 
that  traditional  security  solutions  have  left  open — 
namely  web,  email,  and  instant  messaging  traffic," 
says  Scott  Weiss,  former  CEO  of  IronPort  and  now 
general  manager  of  the  IronPort  Business  Unit  at 
San  Jose,  CA-based  Cisco  Systems,  Inc. 

The  nature  of  the  today's  attacks  is  simply 
"more" — more  complex,  more  frequent,  more 
vicious  and  especially  more  targeted  than  ever 
before.  Hackers  have  graduated  from  annoying 
pranksters  to  full-fledged  criminals  spurred  more 
by  financial  gain  than  the  underworld  notoriety 
that  comes  with  unleashing  a  particularly  nasty 
virus  or  worm. 

The  fact  is,  today's  attacks  translate  into  big 
business.  Online  drug  sales  grossing  millions  from 
illegal  activity.  Trusted  websites  infected  with  silent 


The  Evolution  . 

of  the  Self-Defending  Network 


ADVERTISING  SUPPLEMENT 


xd 

QJ 

Advice  from  the  Experts 

When  it  comes  to  getting  started. 

^  Do  a  thorough  X-ray  of  your 

our  experts  from  Cisco  offer  some 

network,  so  you  know  exactly  what's 

rti 

learned  advice  to  put  you  on  the 

going  on  and  what  isn't. 

right  path  to  building  a  winning  self- 
defending  network: 

Users  can  be  a  weak  link — especially 
with  desktop  tools  like  i-Phones 

m 

Start  the  journey  by  proactively 

and  PDAs — but  creating  the  right 

piloting  new  capabilities,  learn  from 

security  culture  is  a  great  way  to  get 

deployments  and  then  scale  as 

them  involved. 

mg 

required. 

^Security  is  essentially  risk 

^Accept  that  security  technologies 

management,  so  it  always  boils 

are  more  systematic,  touching  more 

down  to  a  tradeoff  discussion  and 

components  of  the  infrastructure; 

making  some  tough  calls. 

1  jyWHMWWffl 

approach  your  strategy  from  that 

^Remember,  the  great  unknown 

perspective. 

problem  is  the  next  area  to  clean 

GJ 

^Integration  and  cooperation 

up.  Make  sure  you're  ready  when 

among  security  services  are  the 

it  hits. 

underpinning  of  success. 

spyware  designed  to  steal  valuable 
corporate  data.  Large-scale  credit  card 
fraud  and  identity  theft  scams.  What's 
more,  these  criminals  are  looking 
to  cash  in  big — usually  at  significant 
expense  to  enterprises. 


security  as  a  mishmash  of  stand-alone  components,  a  self- 
defending  network  considers  security  as  the  sum  of  its 
parts.  Thus,  security  services  are  deeply  integrated  into  the 
network,  sharing  information  for  higher  levels  of  protection 
and  ever-evolving  to  address  constantly  changing  security 
requirements. 


Network,  Defend  Thyself 

With  integrated,  proactive  security 
technology  or  "self-defending 
networks,"  many  CSOs  are  beating 
these  stealthy  evil-doers  at  their  own 
games. 

"A  self-defending  network  is 
essentially  a  strategy  and  vision 
oriented  around  linking  security 
services  so  they  are  able  to  collaborate 
and  act  adaptively  to  proactively 
protect  against  evolving  threats  and 
security  situations,"  says  Richard 
Palmer,  senior  vice  president  and 
general  manager  of  Cisco's  Security 
Technology  Group.  "It  enables  CSOs 
to  simplify  policy  and  management  so 
the  network  components  can  enforce 
security  policy  with  minimal  manual 
intervention." 

The  underlying  concept  is  simple: 
Instead  of  approaching  enterprise 


"Better  Together"  Approach  to  the  New  Threat  Landscape 

It  is  the  self-defending  network's  demonstrated  ability  to 
adapt  and  expand  with  the  changing  threat  landscape  that 
makes  it  so  appealing  to  CSOs. 

"Over  time,  increasingly  complex  threats  have  been  the 
key  driver  in  the  evolution  of  the  self-defending  network," 
says  Weiss.  "The  original  focus  was  on  locking  basic  access 
and  keeping  hackers  out  by  using  firewalls  and  VPN  systems. 
Then,  deep  packet  analysis  was  introduced,  including  the 
integration  of  intrusion  prevention  systems  with  firewalls, 
switches  and  routers." 

"These  tactics  proved  to  be  extremely  effective  against 
timely  threats — namely,  viruses  and  worms — and  such  activity 
has  fallen  off  significantly,"  adds  Palmer.  "But  CSOs  are  not 
getting  complacent;  instead  they  are  moving  up  the  stack  for 
wider  protection." 

Protection,  that  is,  against  a  sophisticated  new  breed  of 
threats,  he  says.  Some  blend  email  and  web  technology  and 
are  launched  as  increasingly  targeted  and  stealthy  attacks. 
Others  are  polymorphic  attacks  that  evolve  very  rapidly, 
exploiting  different  vulnerabilities  in  succession  in  an  effort  to 
outsmart  enterprises  toward  a  very  specific  end.  Examples: 


ADVERTISING  SUPPLEMENT 


fraudulent  email  messages  that  seem  to  come  from  the  IRS, 
messages  from  friends  that  contain  links  to  corrupted  web 
servers,  or  even  trusted  entertainment  web  sites  being  used 
to  silently  serve  up  spyware  intent  on  hijacking  unsuspecting 
devices. 

Such  malicious  ingenuity  has  lead  to  a  major  shift  in  the 
industry,  forcing  the  convergence  of  traditionally  separate 
network,  content  and  application  security  markets.  Meaning, 
there's  a  newly  evolved  self-defending  network  that  combines 
tried  and  true  network-level  security  with  next-generation 
capabilities  for  inspecting  email,  web  and  instant  messaging 
traffic.  Such  wide  traffic  inspection  techniques  essentially 
aggregate  worldwide  threat  intelligence  from  sources  inside 
and  outside  the  network — for  improved  protection  against  a 
wider  array  of  threats. 

The  "new  and  improved"  self-defending  network  is  all 
about  broader  component  collaboration.  This  includes  a 
comprehensive  approach  that  extends  beyond  the  perimeter 
and  spans  all  networking  levels — from  the  packet  to  the 


content.  So,  for  instance,  content 
can  be  flagged  for  examination  when 
suspicious  traffic  patterns  are  identified. 
Perhaps  most  compelling,  wide  traffic 
inspection  brings  cooperation  to  a 
worldwide  level  by  sharing  intelligence 
beyond  the  corporate  network  to 
envelop  threat  data  for  email  and  web 
servers  throughout  the  global  Internet. 

Wide  traffic  inspection  is  supported 
by  reputation  scores  provided  by 
services  like  SenderBase.  Every  IP 
address  from  every  email  server 
that  makes  a  connection  is  assigned 
an  aggregated  spam  probability; 
the  lowest  being  near  certain  spam 
and  the  highest  being  most  likely 
legitimate.  Reputation  scores  consider 
positive  attributes  like  whether  the  IP 


The  World's  Largest  Email  and  Web  Traffic  Monitoring  Service 

The  SenderBase  Reputation  Score  (SBRS)  is  a  wide  traffic  inspection  service  that  enables 
security  appliances  to  weed  out  suspicious  email  and  web  content — before  it  hits  the  network. 

SenderBase  collects  and  correlates  data  on  the  behavior  of  a  large  and  wide  spectrum 
of  active  email  and  web  servers  throughout  the  Internet,  measuring  parameters  such 
as  how  long  the  server  has  been  delivering  content,  its  country  of  origin  and  whether 
any  content  has  proven  to  be  spam  or  malware.  In  addition,  threat  insight  comes  from 
industry  "blacklists"  and  participants  in  the  SenderBase  Network  can  "opt  in"  to  sharing 
data.  All  told,  SenderBase  aggregates  threat  intelligence  from  more  than  100,000 
sources,  including  ISPs,  universities  and  enterprises  from  around  the  world. 

Over  150  attributes  in  all  are  used  to  determine  a  sender's  reputation  score.  Each 
factor  is  assigned  a  weight,  based  on  the  historical  probabilities  that  messages  from  an  IP 
address  with  that  characteristic  were  spam.  Individual  probabilities  are  aggregated  using 
an  advanced  algorithm — which  produces  an  overall  probability  that  the  content  coming 
from  a  given  IP  address  is  spam  or  malware.  Then  the  aggregate  reputation  probability  is 
mapped  to  a  score  between  -10  and  +10. 

In  the  case  of  spam,  this  score  ultimately  allows  security  appliances  to  automatically 
apply  appropriate  mail  flow  policies  for  blocking  suspicious  senders  or  allowing  trusted 
senders  to  bypass  spam  filters.  Not  only  does  this  prevent  widespread  infection,  but 
rejecting  known  suspicious  mail  at  the  beginning  of  a  transaction  can  significantly 
improve  system  performance  due  to  reduced  filtering  volumes. 

"This  reputation  data  is  what  connects  content  and  network  security  across  protocols 
to  support  wide  traffic  inspection  and  deliver  holistic  protection  for  the  enterprise,'  says 
Weiss.  When  an  email  arrives  and  is  determined  to  be  a  phishing  attack,  any  URLs  the 
email  contains  are  passed  to  a  web  security  device  to  ensure  that  other  end  users  aren't 
getting  hit  with  a  variant  of  the  attack.  Similarly,  when  the  web  security  appliance  detects 
malicious  content  coming  from  a  web  server,  any  emails  that  contain  URLs  that  point  to 
that  server  are  carefully  examined  or  blocked. 

Such  cooperation  increases  overall  network  defense  exponentially. 


ADVERTISING  SUPPLEMENT 


Cisco  Self-Defending  Network 

Better  Together 

Integrated  security  systems  that  can  collaborate  and  share  threat  data  across 
protocols,  network  boundaries  and  the  global  Internet  offer  a  very  strong  and 
adaptive  defense  against  the  efforts  of  even  the  most  creative  cyber  criminals. 
Bringing  IronPort  into  the  Cisco  fold  is  helping  CSOs  make  major  strides  toward 
this  goal.  The  combined  company  integrates  IronPort's  industry-leading  content 
security  appliances,  SenderBase,  the  worlds  first  and  largest  email  and  web  traffic 
monitoring  service,  and  Cisco's  broad  array  of  network  infrastructure  and  security 
products.  The  result  is  a  highly-evolved,  self-defending  network  that  will  prepare 
enterprises  for  whatever  new  threats  should  arise  in  the  future. 


address  is  controlled  by  a  Fortune 
1,000  company,  and  more  important, 
negative  attributes  such  as  its  inclusion 
on  an  industry  "black  list,"  the  number 
of  messages  sent  to  "spam  traps,"  and 
the  validity  of  message  recipients. 

In  the  end,  policies  are 
automatically  applied  to  block  known 


CSOs  are  not  getting  complacent; 
instead  they  are  moving  up  the 
stack  for  wider  protection. 


bad  senders.  This  stops  suspicious 
senders  in  their  tracks,  while  allowing 
trusted  senders  to  bypass  spam  filters 
altogether — resulting  in  greater  outer- 
layer  defense  for  the  network  and  less 
stress  on  the  system. 

"Wide  traffic  inspection  exemplifies 
the  guiding  principles  behind  effective 
self-defending  networks,"  says  Palmer. 
"Not  only  does  it  leverage  integrated 
security  capabilities  in  network,  but  it's 
collaborative  in  nature  and  adaptive  to 
emerging  threats." 

Bringing  It  All  Together 
in  the  Real  World 

"This  'better  together'  effect  is 
at  the  heart  of  wide  traffic  inspection 
technology,"  says  Weiss.  "Meaning, 
the  promise  of  the  solution  grows 
as  cooperation  extends  beyond  the 
perimeter,  starts  to  span  all  networking 


levels  and  pushes  past  the  individual  corporate  network." 

He  explains  how  that  cooperation  might  work  in  the 
real  world:  When  a  desktop  client  detects  a  new  "zero  day" 
attack,  the  signature  of  that  exploit  can  be  captured  and  sent 
to  perimeter  equipment  to  block  further  spread  of  the  attack. 

If  packet  level  analysis  identifies  suspicious  traffic  patterns,  the 
content  from  that  transaction  can  be  examined  more  carefully 
with  content-aware  devices.  And  these  analyses  can  be 

shared  across  individual  corporate  networks 
to  provide  a  global  view.  "Taken  further,  as 
Network  Admission  Control  [NAC]  systems 
begin  to  be  incorporated  into  wide  traffic 
inspection,  the  illicit  activity  detected  at  the 
firewall  can  be  shared  with  the  NAC  systems 
to  ensure  that  infected  clients  are  automatically  quarantined 
and  remediation  measures  launched,"  Weiss  says. 

Scenarios  like  these  translate  into  real  world  rewards. 

This  converged  approach  to  security  leverages  traditional 
capabilities  in  new  ways  with  more  intelligence  and 
more  effective  policy  controls,  so  CSOs  can  simplify  the 
operational  environment  and  reduce  manual  intervention. 

In  addition,  CSOs  can  dramatically  improve  the  overall 
security  health  of  their  enterprises  with  big-picture,  global 
views  of  security  threats,  and  by  casting  wider  nets  for 
identifying  vulnerabilities  inside  and  outside  their  networks. 

Of  course,  that  level  of  visibility  can  net  real  results  in  helping 
organizations  to  achieve  higher  levels  of  compliance.  The 
"better  together"  approach,  combining  network  and  content 
security,  is  the  only  sure-fire 
way  to  do  all  of  that. 

In  the  end,  concludes 
Palmer,  "a  self-defending 
network  strategy  enables 
CSOs  to  more  effectively 
and  cost-efficiently  deal  with 
security  threat  environments." 


To  learn  more  about 
the  Cisco  Self-Defending 
Network,  visit 
www.cisco.com/go/sdn 


The  Personal  Data  Privacy  Act 

Incorporating  feedback  from  CSOonline.com 
and  proposed  by  attorneys  Cynthia  Larose  and 
Stefani  Watterson  of  the  law  firm  Mintz,  Levin 


Purpose:  To  prevent  the  use  of  person¬ 
ally  identifiable  information  in  a  way  that 
is  harmful  to  individuals  and  to  provide 
for  notice  in  the  event  of  a  breach  of 
such  information. 

Definitions:  1.  Business  or  businesses. 

All  organizations  (including,  but  not 
limited  to,  incorporations,  partner¬ 
ships,  limited  liability  companies,  sole 
proprietorships)  engaged  in  interstate 
commerce. 

2.  Personally  identifiable  informa¬ 
tion.  The  name  of  an  individual  used  in 
combination  with  Social  Security  number, 
driver’s  license  number,  passport  number 
and  two  of  the  following:  address,  account 
number,  date  of  birth,  mother’s  maiden 
name  or  a  unique  biometric  identifier. 

3.  Data  breach.  Unauthorized  access 
to  personally  identifiable  information 
that  results  in,  or  could  result  in,  inap¬ 
propriate  use  of  the  data.  This  does  not 
include  good  faith  acquisition  of  data. 
Data  breach  notification:  Any  business 
that  uses,  stores  or  transfers  personally 
identifiable  information  must  notify  all 
individuals  whose  personally  identifiable 
information  is  compromised  through 

a  data  breach.  Notification  must  occur 
within  30  days  of  the  breach  and  must 
be  by  either  mail,  phone  or  electronic 
means. 

Safe  harbor:  Notification  is  not  required 
if  a  business  meets  the  industry  stan¬ 
dard  for  methods  of  encryption  and  the 


business  has  taken  preventive  measures 
to  secure  its  systems  and  data. 
Preventive  measures:  Businesses  can 
meet  the  safe  harbor  if  they  have  taken 
the  following  preventive  measures: 

1.  Adopted  established  industry  stan¬ 
dards  for  data  security  and  encryption. 

2.  Implemented  an  internal  data 
security  program  that  includes  regular 
internal  and  external  audits. 

3.  Implemented  a  regular  employee 
education  and  training  program  to  raise 
awareness  of  data  security  issues. 

Use  of  Social  Security  numbers:  By  the 

year _ ,  businesses  must  phase  out 

the  use  of  Social  Security  numbers  as  a 
method  of  identification. 

Enforcement:  The  attorney  general  or 
state  attorneys  general  may  bring  a  civil 
action  against  any  business  that  violates 
the  provisions  of  this  act.  Fines  for  viola¬ 
tions  shall  not  exceed  $1,000  per  day 
per  individual  whose  personally  identifi¬ 
able  information  has  been  compromised. 
The  maximum  penalty  per  violation  shall 
be  $1,000,000. 

No  private  cause  of  action:  This  act  does 
not  establish  a  private  cause  of  action 
against  any  business  for  violations  of 
the  act. 

Relation  to  state  law:  This  act  shall 
supersede  any  state  law  relating  to 
notification  of  breach  of  personally 
identifiable  information. 


From  the  perspective  of  consumers, 
Larose  and  Watterson  suggested  some 
requirements  and  definitions: 

■  Companies  must  notify  all  individuals 
whose  personal  information  is  compro¬ 
mised. 

■  Notification  must  occur  by  written 
means  (electronic  or  by  mail)  without 
unreasonable  delay.  Companies  must 
implement  notification  procedures  and 
review  and  update  those  procedures  if 
necessary  on  an  annual  basis. 

■  “Companies”  includes  all  entities  and 
individuals  conducting  interstate 
transactions  that  request  or  store 
personal  information. 

■  “Personal  information”  includes  the  first 
and  last  name  of  an  individual,  with 
one  or  more  of  the  following:  date  of 
birth,  Social  Security  number,  account 
number  and  driver’s  license  number. 

■  Following  notification  to  individuals 
of  the  breach,  companies  must  take 
reasonable  steps  to  change  the  personal 
information  to  prevent  unauthorized 
use  of  it. 

■  Notification  should  be  required 
without  regard  to  whether  there  is 
the  possibility  for  harm. 

■  Private  right  of  action  and  civil 
penalties  for  failure  to  comply. 

■  No  preemption  of  more  stringent/ 
protective  state  laws. 

In  the  debate  that  followed,  business  rep¬ 
resentatives  and  consumers  provided  some¬ 
times  heated  responses  to  these  proposals 
and  offered  suggestions  of  their  own.  (For  all 
the  gory  details,  visit  http:/ '/blogs. csoonline 
.  com/personal_  data_  exposed_  how_  can_  we_ 
fix_this_mess .)  One  especially  contentious 
point:  whether  businesses  must  disclose  a 
breach  of  personal  information  that  was 
encrypted.  Even  those  who  didn’t  com¬ 
pletely  object  to  some  kind  of  exception 
for  encrypted  information  raised  concerns 
about  how  quickly  encryption  techniques 
change. 

Another  common  thread  was  the  need 
for  legislators  to  address— in  this  law  or 
elsewhere— the  fact  that  a  few  bits  of  per¬ 
sonal  information  can  be  so  easily  obtained 


and  then  misused  by  someone  looking  to 
commit  identify  fraud.  “The  best  defense 
against  data  being  stolen  is  data  not  being 
gathered  in  the  first  place,”  wrote  one  poster. 
“Use  of  SSNs  in  any  database  should  be 
strictly  limited  to  information  reported 
to  the  [Social  Security  Administration]  or 
[Internal  Revenue  Service].” 

Based  on  the  dozens  of  often  conflicting 
comments  at  CSOonline.com,  Larose  and 
Watterson  bravely  proffer  this  proposal. 


Whether  their  effort  matches  some  of  the 
more  pro-consumer  comments  on  the  site 
is  open  to  further  discussion.  As  much 
as  anything,  the  process  underscores  the 
challenge  facing  legislators.  They  won’t  be 
able  to  come  up  with  a  national  disclosure 
law  that  makes  everyone  happy.  We  can’t 
say  that  even  this  one  makes  any  of  us  at 
CSO  happy,  exactly— but  we’re  glad  to  have 
given  readers  and  our  expert  commentators 
a  chance  to  weigh  in.  -Sarah  D.  Scalet 


September  2007  www.csoonline.com  41 


Team  Time 


How  establishing  a  formal  security  management  team 
can  free  you  up  to  focus  on  strategy  By  Anonymous 

FOR  MANY  YEARS,  as  I  grew  in  the  executive  ranks  of  several 
companies,  I  heard  that  it  was  lonely  at  the  top.  Once  you  achieved 
the  highest  position  in  your  department,  people  said,  you  were  the 
leader  responsible  for  all  the  make-or-break  decisions  and  their 
consequences.  At  the  same  time,  those  people  said,  there  was  a 
need  to  tip  your  balance  of  responsibilities  to  a  more  strategic  role,  so  that  you 
could  spend  less  time  and  energy  being  tactical. 

This  creates  a  taxing  dilemma:  How  do  you  make  all  the  decisions  while 
still  becoming  more  strategic?  Spend  more  time  on  the  job?  Maybe.  Some 
might  say  that’s  why  we  CSOs  get  paid  the  big  bucks. 

Having  found  myself  in  that  situation,  however,  I’ve  been  working  on 
another  approach:  improving  my  team’s  dynamics  so  that  I  can  comfortably 
delegate  more  decisions,  thus  freeing 
myself  up  to  focus  on  strategy.  After  all, 
being  responsible  for  each  and  every 
decision  is  different  from  actually  mak¬ 
ing  each  and  every  decision. 

There’s  an  added  bonus  too.  Espe¬ 
cially  for  CSOs  who  manage  a  team  of 
executives  who  oversee  security  in  vari¬ 
ous  and  divergent  functions  of  a  major 
organization— for  example,  a  leader 
who  oversees  both  the  IT  security  and 
physical  security  functions,  or  who 
directs  physical  security  across  diverse 
business  channels— this  approach  can 
be  rewarding  not  only  for  you  but  also 
for  the  rest  of  your  team,  because  it 
allows  them  to  participate  in  the  deci¬ 
sion-making  process  across  a  broad 
scope  of  the  business. 

Of  course,  it’s  not  easy  building  trust  with  the  group  and  divorcing  your¬ 
self  from  the  day-to-day  operations  of  the  business.  But  after  a  solid  year  of 
working  toward  empowering  my  team,  I’m  finding  that  it’s  starting  to  pay  off. 
Here’s  what  I’ve  learned  so  far. 

Building  the  Team 

The  first  task  at  hand  is  assembling  a  team,  typically  your  direct  reports  or  all 
management  at  a  certain  level.  For  example,  my  team  consists  of  my  direct 
reports  (four)  and  all  other  director-level  members  of  my  department  (four). 
For  our  purposes  here,  I’ll  refer  to  this  team  as  the  Security  Executive  Team, 
or  SET.  As  leaders,  perhaps  our  most  important  focus  is  making  sure  that  our 
top  managers  have  a  strong  balance  of  hard  and  soft  skills  and  are  capable  of 


decision  making,  communication  and  program  execu¬ 
tion  without  our  direct  intervention. 

It  is  important  that  you  establish  the  SET  with  a 
couple  of  critical  points  in  mind.  First,  the  SET  must 
be  responsible  for  setting  the  direction  of  the  depart¬ 
ment  and  making  all  key  decisions  that  affect  any 
aspect  of  the  department’s  business— regardless  of 
how  divergent  the  organization  that  you  support. 

Second,  you  must  establish  some  rules  on  how  the 
SET  and  its  members  operate.  This  will  be  your  first 
challenge  as  a  team.  Let  me  share  with  you  some  of 
the  rules  that  we  developed  as  a  team  in  order  to  cre¬ 
ate  clear  expectations  for  our  SET. 

Rule  1:  The  SET  is  the  directors’  primary  team, 
period.  It  comes  first  and  foremost,  even  above  each 
of  the  directors’  own  teams. 

Rule  2:  Every  member  has  an  equal  voice  at  the 
table  to  ensure  equality  of  participation. 

Rule  3:  All  major  topics  and  issues  of  the  depart¬ 
ment  must  be  discussed  with  the  SET  to  seek  collec¬ 
tive  input  and  avoid  shallow  decisions. 

Rule  4:  Decisions  don’t 
require  consensus,  and 
members  must  learn  to 
disagree  and  still  commit 
to  decisions  once  they  are 
made. 

Rule  5:  The  team  will 
speak  as  a  unified  voice  to 
the  entire  department  and 
company. 

Rule  6:  Members  of  the 
SET  will  hold  each  other 
accountable  for  success¬ 
fully  implementing  all 
decisions. 

In  addition,  it  must  be 
understood  that  the  depart¬ 
ment  may  need  to  comply 
with  certain  company  ini¬ 
tiatives  regardless  of  what  the  SET  might  decide  on 
its  own.  In  these  cases,  you,  the  leader,  will  address 
the  directives  through  the  SET,  not  to  gain  consensus 
but  to  agree  about  the  expectations  and  delivery  of 
the  directive.  Also,  in  terms  of  conflict  resolution,  my 
team  agreed  that  I  would  be  the  ultimate  authority  to 
arbitrate  stalemates.  (That’s  why  they  pay  me  the  big 
bucks,  right?) 

There  have  been  a  few  times  that  I  have  had  to 
make  the  final  decision  on  a  contentious  issue,  and 
members  of  the  team  have  committed  to  it  knowing 
that  I  made  a  decision  only  after  hearing  everyone’s 


42  www.csoonline.com  September  2007 


ILLUSTRATION  BY  MARIO  WAGNER 


mi 


w, 


CSO  Undercover 


opinion  equally.  For  example,  at  one  point 
we  were  arguing  about  the  need  to  quan¬ 
tify  performance  in  each  of  the  business 
channels  that  we  support,  and  the  team 
was  divided  and  passionate  in  their  posi¬ 
tions.  Only  after  listening  to  an  intense 
debate  did  I  intervene  to  tip  the  scale 
and  make  the  decision  to  use  metrics  in 
all  areas,  because  of  the  company’s  desire 
to  integrate  performance  measurements 
in  all  areas  of  the  business.  I  engaged  the 


team  members  individually  in  front  of 
their  peers  to  ensure  that  they  would  com¬ 
mit  to  the  decision.  I  think  this  made  the 
team  realize  that  their  individual  voices 
would  be  heard.  The  next  time  we  debated, 
members  were  even  more  open  to  debate, 
realizing  that  a  fair  and  equitable  decision 
would  be  made. 

Meeting  Regularly 

Once  the  expectations  are  clear,  the  SET 
should  meet  regularly,  based  on  the 
demands  of  the  business.  Our  SET  meets 
every  month  for  two  full  business  days. 
And,  yes,  once  the  SET  begins  to  debate 
all  the  business  at  hand  and  also  to  review 
the  implementation  of  past  decisions, 
you  will  need  to  set  aside  an  appropriate 
amount  of  time.  Two  days  a  month  may 
sound  like  a  lot,  especially  if  your  team  is 
geographically  dispersed,  but  the  payoff  is 
that  the  rest  of  the  month,  you  can  count 
on  the  members  of  the  SET  to  take  care  of 
the  day-to-day  business. 

As  the  leader,  you  must  publish  an 
agenda  for  each  meeting.  (I  recommend 
that  you  not  assign  times  for  each  agenda 
item,  because  this  can  stifle  team  input.) 
Topics  for  the  agenda  should  reflect  the 
input  solicited  from  all  members.  This 


is  important— and  difficult,  because  it 
requires  all  members  of  the  SET  to  put 
items  on  the  agenda  that  they  normally 
would  have  decided  on  their  own  or  with 
their  own  team.  In  a  way,  members  must 
make  themselves  vulnerable,  because 
decisions  that  may  affect  only  them  or 
their  own  business  area  may  be  made 
contrary  to  their  own  perspective.  But  it 
goes  to  the  core  of  the  SET— that  it  is  the 
one  team  that  sets  the  direction  for  the 


security  department  and  makes  all  the 
key  decisions. 

There  are  bound  to  be  some  bumps 
in  the  beginning.  In  our  case,  until  we 
became  comfortable  with  each  other  as  a 
team,  members  sometimes  would  make 
decisions  on  key  issues  in  between  our 
monthly  SET  meetings.  As  the  leader,  I 
would  have  to  hold  them  accountable  for 
having  bypassed  or  broken  our  team  rules. 
This  was  no  fun,  but  it  reinforced  the  need 
for  everyone  to  bring  all  issues  in  front  of 
the  SET. 

In  a  sense,  team  members  do  sacrifice 
a  degree  of  decision-making  ability.  The 
trade-off  or  incentive  is  their  ability  to 
participate  in  and  influence  the  broader 
security  business.  Initially,  the  decision 
making  around  what  is  appropriate  to 
bring  before  the  SET  is  challenging,  but 
as  each  team  member  engages  the  broader 
team  on  issues,  it  becomes  apparent  what 
does  and  does  not  apply.  Team  members 
will  even  tell  other  team  members  in  our 
SET  meetings,  “Thanks  for  bringing  that 
up,  but  you  can  make  that  decision  and 
let  us  know  the  results.”  At  this  point,  it 
is  all  about  trusting  each  other  to  bring 
things  to  the  table  for  the  greater  good, 
sacrificing  some  of  your  personal  power 


in  your  own  particular  area  and  partici¬ 
pating  more  significantly  on  the  depart¬ 
ment  level. 

At  the  conclusion  of  each  meeting, 
the  team  members  review  the  minutes, 
then  communicate  the  content  to  their 
departments  and  the  business  channels 
that  they  support.  This  follow-up  com¬ 
munication  flows  nicely,  since  there  is  a 
unified  voice  from  the  SET.  It  reinforces 
the  fact  that  the  SET  makes  the  decisions 
and  that  they  are  vetted  thoroughly  for 
the  benefit  of  the  entire  department  and 
organization. 

When  it’s  all  said  and  done— if  every¬ 
thing  goes  well,  that  is— you  will  have 
created  an  environment  where  your  key 
management  team  assembles  regularly  to 
debate  and  make  decisions.  As  the  leader, 
this  means  that  you  have  effectively  let  go 
of  the  day-to-day  minutiae  of  the  security 
department  and  limited  your  focus.  In  my 
case,  I  have  managed  to  narrow  the  time  I 
spend  on  daily  operations  to  the  two  days 
that  my  SET  meets  each  month.  Of  course, 
I  am  free  to  insert  myself  more  than  that, 
either  as  my  schedule  allows  or  because  of 
my  interest  in  a  topic.  But  I  don’t  have  to 
get  involved  to  count  on  things  being  done 
appropriately. 

What  does  this  mean?  Now  that  this 
process  is  in  place,  I  can  move  beyond  the 
tactical.  After  all,  this  is  what  the  organi¬ 
zation  really  needs  from  the  CSO:  a  focus 
on  the  long-term  alignment  and  creative 
applications  of  the  security  mission  with 
the  direction  of  the  business.  Through  this 
process,  the  CSO  can  effectively  open  up 
his  or  her  calendar. 

Also,  I  have  found  that  a  separate  and 
welcome  benefit  of  this  team  approach  is 
that  now  I  can  periodically  begin  a  SET 
meeting  with  a  strategic  topic.  Having 
opened  the  door  for  my  SET  members 
to  engage  in  unrestricted,  constructive 
debate  on  key  tactical  issues,  I  can  also  sit 
back  and  enjoy  the  benefits  of  a  strategic 
discussion,  making  use  of  collective  team 
wisdom.  ■ 


CSO  Undercover  is  written  anonymously  by  a  real  CSO. 
Send  feedback  to  csoundercover@cxo.com. 


In  a  sense,  team  members  do  sacrifice  a 
degree  of  decision-making  ability.  The 
trade-off  or  incentive  is  their  ability  to 
participate  in  and  influence  the  broader 
security  business. 


44  www.csoonline.com  September  2007 


SEPTEMBER  11-12,  2007 


JACOB  JAVITS  CONVENTION  CENTER 


NEW  YORK, 


Solutions.  Education.  All  on  the  same  floor. 


Solutions  only  work  when  you  know  how  to  use  them.  That's 
why  for  2007,  Infosecurity  New  York  is  enhancing  the 
show  floor  experience  with  a  bold  new  approach: 
source  all  the  products  and  services  you  need  to 
ensure  a  compliant,  secure  IT  infrastructure  AND 
learn  how  to  apply  them  -  all  without  leaving  the 
show  floor.  FREE  hands-on  sessions  will  be  taught 
by  the  same  leading  developers  you'll  see 
exhibiting,  so  you'll  immediately  take  away 
answers  to  the  challenges  you're  tackling  at  work. 

No  matter  what  your  industry  -  finance,  government, 
education  -  you'll  witness  over  1 75  companies  offering 
the  very  latest  state-of-the-art  technologies,  including  - 


Access  Control  •  Anti-Spam  •  Email  Security 
•  Firewalls  •  Intrusion  Detection  •  Intrusion  Protection 
•  IAN/WAN  Security  •  Network  Security 
•  Virus  Protection  •  Client  Server  Security 

ALL  NEW  -  The  Security  Operations  Center 

Highlighting  the  convergence  of 
IT  and  physical  security  is  the  all-  ___  _  _ 

security  operations 

new  Security  Operations  Center.  center 

Offered  at  Infosecurity  New  York  and  ISC  East, 
and  produced  by  IPVS,  the  Security  Operations 
Center  demonstrates  a  live,  best  of  breed  multi-vendor 
converged  network  integrating  physical  security  and 
enterprise  IT  products  -  right  on  the  show  floor. 


INFOSECURITY  NEW  YORK.  WALK  IN  WITH  CHALLENGES.  WALK  OUT  WITH  SOLUTIONS. 


REGISTER  FOR  FREE  AT:  www.lnfosecurityEvent.com/CSO 

Global  Media 

Sponsor:  Sponsors:  Produced  by: 


NOVell.  Seagate  (fP^  Surf^ntrol  ^TiSiglT 


Reed  Exhibitions 


Infosecurily  New  York  is  a  registered  trademark  of  Reed  Elsevier  Properties,  Inc.  used  under  license.  ©  2007  Reed  Elsevier,  Inc. 


CODE:  AD5X1 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


Sales  and  Services 

CSO  Sales  Offices 

President  and  CEO 

Michael  Friedenberg  •  508  935-4310 

Publisher 

Bob  Bragdon  •  508  935-4443 
Senior  Ad  Sales  Associate 
Christine  McKay  •  508  988-7836 
Eastern  Territory 
East  Coast  Regional  Manager 
Roz  Burke  •  508  935-4163 
Western  Territory 
Regional  Sales  Manager 
Drew  Seifried  •  415  217-9083 

Online  Sales 

Vice  President,  Online  Sales 
Brian  Glynn  •  508  935-4586 
Online  Regional  Sales  Manager 
Richard  Hartman  •  508  935-4487 
Online  Regional  Sales  Manager,  West  Coast 
Erika  Karr  •  415  978-3329 
Manager,  Online  Account  Services 
Danielle  Tetreault  •  508  988-7969 
Online  Account  Services  Specialist 
Valerie  Sumner  •  508  988-7877 
Online  Advertising  Specialist 
Irina  Gabechiia  •  508  935-4414 
Online  Ad  Sales  Associate 
Devon  Slattery  •  415  975-2687 
Online  Account  Services  Coordinator 
Hayley  Nickerson  •  508  988-7819 

Custom  Solutions  Group 

Vice  President 

Matt  Avery  •  508  935-4796 

National  Director  of  Sales 

Adam  Dennison  •  508  935-4087 

Managing  Editor 

Jim  Malone 

Associate  Editor 

Anne  Taylor 

Senior  Project  Manager 

Amy  Greenleaf 

Project  Managers 

Karen  Capland,  Amy  Freeman 

CSO  Executive  Council 

Managing  Director 

Bob  Hayes 

VP,  Research  and  Product  Development 

Kathleen  Kotwica 

Director,  IT  and  Product  Technology 
Greg  Kane 

Operations  and  Production  Specialist 
Jayne  Marcucella 
Member  Services  Manager 
Elizabeth  Lancaster 


Production 

VP/Manufacturing 
Chris  Cuoco 
Production  Manager 
Heidi  Broadley 

Associate  Production  Manager 
Lisa  M.  Stevenson 

Executive  Programs 

VP,  Executive  Programs 
Ellen  Daly 

Director,  Event  Marketing 
Mary  Conroy 

Director,  Event  Operations 
Deb  Begreen 
National  Sales  Manager 
Per  Melker 

Senior  Conference  Producer 

Judith  Kittredge 

Event  Planner 

Sarah  Reagan 

Event  Coordinator 

Bethany  Whiffin 

Registration  Specialist 

Cress  O'Brien 

Client  Services  Specialist 

Erica  Foster 

Sales  Associate 

Nicole  Blackburn  •  508  935-4154 

Marketing 

Sr.  Director,  Marketing  Communications 
Sue  Yanovitch 

Sr.  Marketing  Communications  Specialist 
Susan  Murray 

Marketing  Communications  Specialist 

Lynn  Holmlund 

Circulation 

Senior  VP/Circulation 

Carol  A.  Spach 

Subscription  Services  Supervisor 
Tina  Pescara 

List  Services 

Contact  Paul  Capone  of  IDG  List  Services  at 
508  370-0865  or  pcapone@idglist.com. 

Reprint  Services 

For  article  reprints  (100  quantity  or  more), 
please  contact  Keith  Williams  at  PARS 
International  at  212  221-9595,  ext.  319, 
or  e-mail  keith.williams@parsintl.com. 

For  further  sales  information,  visit 
www.csoonline.com/reprints/index.html. 


CSO  Contact  Information 

Editorial/Advertising/Business  Offices 

492  Old  Connecticut  Path,  P.O.  Box  9208, 
Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 

Postal  Information 

CSO  (ISSN  1540-904X)  is  published  monthly 
except  for  a  combined  issue  in  July/August 
and  December/January  by  CXO  Media  Inc., 
492  Old  Connecticut  Path,  P.O.  Box  9208, 
Framingham,  MA  01701-9208.  Periodical 
Postage  Rate  at  Framingham,  MA  01701, 
and  at  additional  mailing  offices.  Canadian 
Publications  Mail  agreement  number 
1902075.  CANADIAN  POSTMASTER:  Please 
return  undeiiverable  copy  to  P.O.  Box  1632, 
Windsor,  ON  N9A  7C9. 

Permissions 

Copyright  2007  by  CXO  Media  Inc.  All 
rights  reserved.  Reproduction  of  material 
appearing  in  CSO  is  forbidden  without 
written  permission.  Send  requests  to  Yadira 
Pizarro,  PARS  International,  212  221-9595, 
ext.  231,  or  e-mail  yadira@parsinti.com. 

Photocopy  Rights 

Permission  to  photocopy  for  internal  or 
personal  use  or  the  internal  or  personal  use 
of  specific  clients  is  granted  by  CSO  for  users 
through  the  Copyright  Clearance  Center, 
provided  that  a  fee  of  $3.50  per  copy  of  the 
article  is  paid  directly  to  Copyright  Clearance 
Center,  222  Rosewood  Drive,  Danvers,  MA 
01970.  www.copyright.com.  Please  specify: 
ISSN  1540-904x.  Permission  to  photocopy 
does  not  extend  to  contributed  articles 
followed  by  this  symbol:  %. 

Subscriptions 

Address  inquiries  to  CSO,  P.O.  Box  3482, 
Northbrook,  IL  60065;  866  354-1125. 

CSO  is  free  to  qualified  information 
executives.  To  all  others  the  one-year  basic 
rate  is  $60  for  the  United  States  and  Canada, 
$80  to  foreign  countries  (payable  in  U.S. 
funds  only).  The  single  copy  price  is  $9  to 
the  U.S.  and  Canada  and  $15  International. 
Please  allow  four  to  six  weeks  for  new 
subscriptions  to  begin. 

Change  of  Address 

Go  to  www.omeda.com/custsrv/cso  and 
follow  the  online  instructions. 

Postmaster 

Send  change  of  address  to: 

CSO,  P.O.  Box  3482,  Northbrook,  IL  60065 
Printed  in  the  USA. 

Index  of  Companies  and  Advertisers 


Company  Index 

3VR  Security  Inc . 34 

Aimetis  Corp . 34 

Amazon.com  Inc . 20 

Arbor  Networks  Inc . 13 

ASIS  International  . 6 

Bank  of  Hawaii . 34 

BHS  Home  Appliances  Corp . 34 

Boston  Scientific  Corp . 13 

BrandProtect  . 13 

Cernium  Corp . 34 

Christian  Aid  . 13 

Cisco  Systems  Inc . 13,  34 

Citizens  Financial  Group  . 13 

Crossbeam  Systems  Inc . 20 

Dartmouth  College . 20 

Department  of  Homeland  Security . 6 

e-Gold  Ltd . 20 

Electronic  Privacy  Information  Center  ...  .13 

EMC  Corp . 34 

Emitall  . 34 


Financial  Services  Information 

Sharing  and  Analysis  Center . 20 

FMR  Corp . 13 

Font.com  . 20 

Frost  &  Sullivan  . 34 

General  Electric  Co . 13 

Harvard  Law  School . 13 

Honeywell  International  Inc . 34 

IBM  Corp . 13,  20 

IMS  Research . 34 

Information  Systems  Audit 

and  Control  Association  . 6 

Information  Systems  Security 

Association . 6 

InfraGuard  . 20 

International  Association  for  the 

Advancement  of  Criminal  Activity . 20 

loimage  . 34 

iOmniscient  Pty.  Ltd . 34 

KitchenAid,  USA . 13 

MarkMonitor  Inc . 13 

MATE  Inc.  USA . 34 

Mintz  Levin  Cohn  Ferris  Glovsky 

and  Popeo  PC . 40 

NameProtect  Inc . 13 

National  City  Corp . 13 

Nordea . 20 

ObjectVideo  Inc . 34 

PayPal . 27 

Risk  and  Insurance 

Management  Society . 6 

Secure  Science  Corp . 20 

SecureWorks  Inc . 20 

Shell  International  BV  . 13 

Sony  Corp.  of  America . 34 

Sophos  Pic . 20 

Texas  Instruments  Inc . 34 

Toshiba  America  Inc . 34 

Trump  Entertainment  Resorts  . 34 

Verint  Systems  Inc . 34 

WesCorp . 20 

Western  Union  Holdings  Inc . 20 

Whirlpool  Corp . 13 

Advertiser  Index 

ADT  Security  Services  Inc . 7 

BigFix  Inc . 17 

CA  . C4 

Cisco  Systems  Inc . 40a 

CXO  Media  Inc .  9,43,47 

Cyveillance . C3 

Executive  Women's  Forum . 8a 

Hewlett-Packard  Co . 29 

HID  Corp . 39 

IBM  Corp . C2 

Infosecurity  NY  2007  .  45 

ISACA . 33 

ISC2  . . 12 

Juniper  Networks  Inc . 5 

RSA  Security  Inc . 10, 11 

SecureWorks  . 19 

Tumbleweed  Communications  Corp . 31 

Unisys  . 15 

VeriSign  Inc . 3 


46  www.csoonline.com  September  2007 


PCI  Compliance 


Building  Privacy  &  Security 
Into  your  Organization 


The  CSO  Executive  Seminar  on 


We  all  know  the  PCI  (Payment  Card  Industry)  standard  is  an  industry  guideline,  but 
make  no  mistake  about  it— every  organization  that  takes  payment  cards  is  subject  to  its 
requirements.  The  only  question  is,  to  what  degree?  There  are  significant  penalties  for 
violating  the  terms  of  PCI  and  while  most  just  result  in  modest  fines,  major  violations  can 
result  in  your  business  losing  the  ability  to  process  credit  card  transaction— that  could 
severely  impact  your  business.  If  you  are  responsible  for  your  organization’s  PCI  or  privacy 
initiatives  you  won’t  want  to  miss  these  seminars. 


WHO  SHOULD  ATTEND 

CSOs,  CPOs,  CISOs,  Security  Directors,  Legal 
Counsels,  auditors  and  others  who  are  charged 
with  protecting  credit  card  files. 

Government  and  non-profit  officials  who 
prepare  their  organizations  for  security 
issues. 

BENEFITS  OF  ATTENDING 

A  360  degree  view  of  PCI  Compliance  including: 

•  Impact  and  Requirements  of  PCI  DSS 

•  Case  Study  for  PCI  Compliance 

•  Breaking  Down  PCI-What  is  Required 

Visit  www.csoonline.com/conferences  to  view  the 
entire  agenda. 


NEW  YORK,  NEW  YORK 
Wednesday,  September  12,  2007 
7:30am-3:45pm 
Grand  Hyatt  New  York 

CHICAGO,  ILLINOIS 
Thursday,  October  18,  2007 
7:30am-3:45pm 

Space  is  limited.  Register  today  at: 
www.csoonline.com/conferences 
or  for  more  information  call 
800.366.0246 


Platinum  Sponsors: 


Symantec. 


Gold  Sponsors: 

0  OUNCE  LABS 


Tho  Security  Division  of  EMC 


Silver  Sponsors: 


r9  Guardium 

SAFEGUARDING  DA  TABASES  ’ 


fMMPERVA  LUMIGENT 

TIZGR 


Produced  by: 

CSO 

The  Resource  for 
Security  Executives 


Pop  Quiz 


The  Underachieving 
Thieves’  Guild 


1,  A  New  Hampshire  man  allegedly  robbed 
Citizens  Bank  without  a  weapon  but  dis¬ 
guised  as  what? 

a.  A  gorilla 

b.  A  tree 

c.  An  ATM  repairman 

d.  An  elderly  woman 

2  Which  of  the  following  prevented  two 
men  from  robbing  a  Blackpool,  England, 
post  office? 

a.  Their  gun  was  fake. 

b.  The  woman  behind  the  counter  told 
them,  “Don’t  be  so  silly.  I’m  going  to  ring 
the  police,”  and  did. 

c.  While  in  the  post  office,  their  getaway  car 
was  boxed  in. 

d.  All  of  the  above. 

3.  True  or  False:  A  family  in  Poland 
allegedly  stole  their  neighbor’s  roof  to 
sell  as  scrap  metal. 


4.  In  Washington,  D.C.,  a  man  allegedly 
walked  into  a  backyard  barbecue  and 
pointed  a  gun  at  a  14-year-old  girl’s  head. 
Then  what  happened? 

a.  The  girl,  a  karate  black  belt,  wrestled 
the  gun  out  of  his  hands  and  he  was 
subdued. 

b.  The  girl’s  dad  jumped  the  man,  threw 
him  onto  the  hot  grill  and  he  fled,  burned. 

c.  An  unseen  guest  inside  called  911  and 
the  police  arrived  to  defuse  the  situation. 

d.  The  robber  stayed  for  wine  and  cheese 
with  the  family. 

5.  What  did  a  thief  in  the  Philippines  who 
allegedly  stole  two  mobile  phones  do  after 
being  chased  by  the  police  for  500  meters? 

a.  Trip  on  his  own  feet  and  fall,  breaking  his  leg. 

b.  Run  into  a  pole  when  he  was  looking 
back  to  see  if  they  were  gaining  on  him. 

c.  Stop  and  call  "time  out,”  making  the 
universal  T  sign  with  his  hands. 

d.  Jump  into  a  nearby  car,  which  turned  out 
to  be  the  police  officers'  car. 


6.  Match  the  alleged  thieves  with  the 
location  where  they  were  caught: 

a.  Wisconsin  man  who  robbed  $200  from  a 
general  store. 

b.  Two  Chinese  men  who  stole  money  and 
a  mobile  phone  from  a  store  customer. 

c.  A  Connecticut  duo  who  stole  a  laptop 
and  cash  from  a  hotel. 

d.  An  Austrian  jewel  thief  who  robbed  a 
home. 

1.  In  the  parking  lot  of  the  local  police  sta¬ 
tion,  which  they  drove  into  by  accident. 

2.  Drinking  a  beer  at  a  bar,  less  than  a  mile 
away,  with  the  getaway  car  and  its  ID’d 
license  plate  parked  out  front. 

3.  Passed  out  drunk  in  the  home’s  bedroom. 

4.  At  the  scene  of  the  crime,  after  returning 
there  to  settle  a  bet  on  whether  the  store 
had  surveillance  cameras.  (It  did.) 

7.  Why  shouldn’t  a  Hilton  Head,  S.C.,  man 
have  reported  his  car  stolen? 

a.  There  were  allegedly  drugs  and  a  scale 
in  the  car. 

b.  The  vehicle  was  found  at  a  country  club 
where  a  burglary  alarm  had  gone  off 
and  someone  had  left  footprints  in  the 
morning  dew. 

c.  When  he  claimed  the  car,  police  found  the 
man  was  carrying  $71,  the  amount  stolen 
from  a  local  sub  shop  the  night  before. 

d.  A  K-9  team  found  a  scent  trail  back  to  the 
address  the  man  had  reported  the  car 
stolen  from,  where  an  alleged  accom¬ 
plice  in  the  sub  shop  burglary  lived. 

Bonus  Question:  What  tipped  off  police 
that  the  two  bills  used  by  a  man  in  an 
airport  hotel  were  counterfeit? 

ANSWERS:  1.  B-HE  WAS  APPREHENDED  BECAUSE  HIS  LEAVES  DIDN’T 
COMPLETELY  COVER  HIS  FACE;  2.  D-FROM  JAIL.  THE  RINGLEADER 
WROTE  AN  APOLOGY  NOTE  TO  THE  WOMAN;  3.  FALSE-THE  FAMILY 
STOLE  THE  ROOF  OF  THEIR  OWN  APARTMENT  BUILDING  AFTER 
DETERMINING  THAT  SINCE  THEY  LIVED  ON  THE  FIRST  FLOOR.  THEY 
WOULDN'T  GET  RAINED  ON;  4.  D-AFTER  ENJOYING  CHATEAU 
MALESCOT  SAINT-EXUPERY  AND  CAMEMBERT  CHEESE,  HE  SAID.  ”1 
THINK  I  MAY  HAVE  COME  TO  THE  WRONG  HOUSE.  CAN  I  GET  A  GROUP 
HUG?-;  5.  C;  6.  A-2,  B-4,  C-l.  D-3:  7.  TRICK  QUESTION:  ALL  OF  THE 
ABOVE.:  BONUS  QUESTION:  THEY  WERE  $16  BILLS 

How’d  You  Do? 

1-3  POINTS:  YOUR  ROOF'S  MISSING 

4-6  POINTS:  TIME  OUT! 

7-8  POINTS:  DON'T  BE  SILLY 


48  www.csoonline.com  September  2007 


ILLUSTRATION  BY  JANICE  NADEAU 


Who  provides  the 
cyber  intelligence  that 
can  keep  your  company 
out  of  the  dark? 


Cyveillance.  The  world  leader  in  cyber  intelligence. 

Every  day,  new  threats  emerge  online  that  could  harm  the  very  core  of  your  business. 
That’s  why  industry  leaders  are  turning  to  Cyveillance  for  a  proven  intelligence-led 
approach  to  address  the  full  scope  of  today’s  online  risk  environment. 

From  malware  and  identity  theft,  to  phishing,  unlicensed  product  sales,  and 
corporate  espionage-Cyveillance  covers  the  entire  spectrum  of  Internet  risks.  With 
the  most  comprehensive  Internet  monitoring  infrastructure,  a  real-time  portal,  and 
dedicated  support  from  cyber  intelligence  experts,  Cyveillance  gives  you  the  intelligence 
to  stop  threats  before  they  cause  harm. 

Don’t  depend  on  conventional  monitoring  solutions  to  keep  your  organization 
in  the  know.  Stay  on  top  of  online  threats  with  Cyveillance,  the  world  leader  in 
cyber  intelligence. 


Download  the  new  white  paper: 
Intelligence-Led  Security 

www.cyveillance.com/CSO 


We're  secure.  We're  compliant. 

Now  we're  busting  out  the 

SHURIMDYA 

(Security  Helps  Us  Rake  In  More  Dollars,  Yen  And  Euros) 


n 

o 

TO 

6q' 


® 

O 

O 


n 

> 

> 


Congratulations.  Your  IT  security  is  working  hard.  But  there's  something  more  it  should  do  (besides  the  protection,  compliance, 
access,  etc.).  IT  security  should  actually  make  your  business  more  efficient.  More  flexible.  More  competitive.  CA  can  help.  Our 
Security  Management  centralizes  your  identity  and  access  management  to  turn  IT  security  into  a  proactive,  business-building 
tool.  So  your  security  strengthens  customer  relationships,  grows  partnerships  and  helps  your  enterprise  address  changing 
markets  with  ninja-like  agility.  All  with  CA's  best-in-class  modularity,  scalability  and  integration.  But  don't  just  take  our  acronym 
for  it.  Download  the  white  paper,  "Security  Management:  Aligning  Security  with  Business  Opportunities,"  at  ca.com/secure. 


GOVERN  •  MANAGE  •  SECURE 


Transforming 
IT  Management 


